You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
mend-bolt-for-githubbot
changed the title
CVE-2022-21222 (Medium) detected in css-what-2.1.0.tgz
CVE-2022-21222 (High) detected in css-what-2.1.0.tgz
Oct 13, 2022
CVE-2022-21222 - High Severity Vulnerability
Vulnerable Library - css-what-2.1.0.tgz
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-2.1.0.tgz
Path to dependency file: /snippet-generator/package.json
Path to vulnerable library: /node_modules/css-what/package.json
Dependency Hierarchy:
Found in HEAD commit: 048036a9ab01caa8b88a2ac5e83d724da33ace80
Found in base branch: master
Vulnerability Details
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
Publish Date: 2022-09-30
URL: CVE-2022-21222
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21222
Release Date: 2022-09-30
Fix Resolution (css-what): 2.1.3
Direct dependency fix Resolution (html-webpack-plugin): 4.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: