Miggo Logo
Miggo Vulnerability Database
CVE-2023-26364

CVE-2023-26364: @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS

5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26364
GHSA ID
GHSA-hpx4-r86g-5jrg
EPSS Score
0.26859%
CWE
CWE-20
Published
8/29/2023
Updated
11/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
@adobe/css-toolsnpm< 4.3.14.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical regex modifications in two areas: 1) The @import rule regex was changed from '(:?...)' to '(?:...)' with termination anchors, addressing backtracking. 2) The comment regex was simplified from a complex nested pattern to a non-backtracking '[^]*?' match. The added test case demonstrates exploitation via @import with repeated quote patterns, confirming these were the vulnerable code paths. Both regex patterns exhibited exponential time complexity characteristics typical of ReDOS vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t @**o**/*ss-tools v*rsion *.*.* *n* **rli*r *r* *****t** *y *n Improp*r Input V*li**tion vuln*r**ility t**t *oul* r*sult in * **ni*l o* s*rvi** w*il* *tt*mptin* to p*rs* *SS. ### P*t***s T** issu* **s ***n r*solv** in *.*.*. ### Work*roun

Reasoning

T** *ommit *i** s*ows *riti**l r***x mo*i*i**tions in two *r**s: *) T** `@import` rul* r***x w*s ***n*** *rom '(:?...)' to '(?:...)' wit* t*rmin*tion *n**ors, ***r*ssin* ***ktr**kin*. *) T** *omm*nt r***x w*s simpli*i** *rom * *ompl*x n*st** p*tt*rn