Prettier Regular Expression Denial-of-Service Vulnerability in CSS Parser
Vulnerability
A Regular Expression Denial-of-Service (ReDoS) vulnerability exists in Prettier versions through 3.6.2. The issue arises in the CSS parsing function 'parseNestedCSS' within 'src/language-css/parser-postcss.js'. The vulnerability is triggered by manipulating the 'node' argument, which leads to inefficient regular expression processing. This flaw can be exploited remotely, causing the application to hang due to excessive CPU consumption from catastrophic backtracking in the regular expression engine.
Impact
Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to hang and consume excessive CPU resources.
Reproduction
The vulnerability can be reproduced by using a custom selector that includes a long sequence of non-whitespace characters followed by a character that is not a whitespace. This input will be processed by the vulnerable regular expression, causing the application to hang.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.