CVE-2022-21222

NameCVE-2022-21222
DescriptionThe package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-css-what (PTS)buster2.1.0-1vulnerable
bullseye4.0.0-3fixed
bookworm, sid6.1.0-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-css-whatsource(unstable)3.0.2-1

Notes

https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
ReDoS issue fixed with rewrite of module to TypeScript

Search for package or bug name: Reporting problems