5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-26364

GHSA ID

GHSA-hpx4-r86g-5jrg

EPSS Score

0.26859%

CWE

CWE-20

Published

8/29/2023

Updated

11/17/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-26364

CVE-2023-26364: @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS

Impact

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

Patches

The issue has been resolved in 4.3.1.

Workarounds

None

References

N/A

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-26364

CVE-2023-26364:

5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-26364

GHSA ID

GHSA-hpx4-r86g-5jrg

EPSS Score

0.26859%

CWE

CWE-20

Published

8/29/2023

Updated

11/17/2023

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@adobe/css-tools	npm	< 4.3.1	4.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows critical regex modifications in two areas: 1) The @import rule regex was changed from '(:?...)' to '(?:...)' with termination anchors, addressing backtracking. 2) The comment regex was simplified from a complex nested pattern to a non-backtracking '[^]*?' match. The added test case demonstrates exploitation via @import with repeated quote patterns, confirming these were the vulnerable code paths. Both regex patterns exhibited exponential time complexity characteristics typical of ReDOS vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-26364: @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS

Impact

Patches

Workarounds

References

CVE-2023-26364:

5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-26364: @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS

Impact

Patches

Workarounds

References

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5

5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI