tarojs taro Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in tarojs taro versions through 4.1.1. This issue arises from inefficient regular expression processing in the file taro/packages/css-to-react-native/src/index.js, which can be exploited by embedding maliciously crafted code blocks into parsed CSS strings. The vulnerability allows for high CPU usage, application freezing, or a denial-of-service condition. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing high CPU usage and application freezing.

Reproduction

The vulnerability can be reproduced by using a specially crafted input string that exploits the regular expression handling of CSS 'px' and 'rem' units. This can be done by creating a CSS string with a large number of 'rem' units, which the vulnerable regular expression will process inefficiently, causing a significant delay in handling time. After the application is unresponsive, the regular expression can be seen running in a loop, indicating the denial-of-service condition.

Remediation

Users are advised to upgrade to taro version 4.1.2, which addresses this vulnerability by optimizing the regular expressions to prevent improper matching and improve processing efficiency. The patched version can be downloaded from the Taro GitHub repository.