You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduction:
This issue highlights a vulnerability in the nth-check package, specifically related to Regular Expression Denial of Service (ReDoS). This vulnerability is identified with a CVSS score of 7.5 (High Severity) by both Snyk and NVD.
Details:
The vulnerability is introduced through @tryghost/kg-default-cards@10.0.2 and affects versions of nth-check prior to 2.0.1.
Exploit Maturity:
The exploit maturity is identified as Proof of Concept.
Snyk: CVSS 7.5 - High Severity
NVD: CVSS 7.5 - High Severity
Overview:
nth-check is a library used for parsing CSS nth-child expressions.
Vulnerability Description:
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing crafted invalid CSS nth-checks. This vulnerability is due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? in RE_NTH_ELEMENT with quantified overlapping adjacency. An attacker can exploit this by providing a specially crafted input, leading to excessive backtracking during regex processing, which may result in a denial of service condition.
Remediation:
Upgrade to version 2.0.1 or later of nth-check to fix this vulnerability. Unfortunately, there is no remediation path available for previous versions.
Proposed Changes:
Update the dependency on nth-check to version 2.0.1 or later in the package.json file.
Testing:
After updating the dependency, ensure that all existing functionality continues to work as expected. Perform thorough testing to verify that the vulnerability has been mitigated.
The text was updated successfully, but these errors were encountered:
Introduction:
This issue highlights a vulnerability in the nth-check package, specifically related to Regular Expression Denial of Service (ReDoS). This vulnerability is identified with a CVSS score of 7.5 (High Severity) by both Snyk and NVD.
Details:
The vulnerability is introduced through @tryghost/kg-default-cards@10.0.2 and affects versions of nth-check prior to 2.0.1.
Exploit Maturity:
The exploit maturity is identified as Proof of Concept.
Detailed Paths:
Security Information:
Overview:
nth-check is a library used for parsing CSS nth-child expressions.
Vulnerability Description:
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing crafted invalid CSS nth-checks. This vulnerability is due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? in RE_NTH_ELEMENT with quantified overlapping adjacency. An attacker can exploit this by providing a specially crafted input, leading to excessive backtracking during regex processing, which may result in a denial of service condition.
Remediation:
Upgrade to version 2.0.1 or later of nth-check to fix this vulnerability. Unfortunately, there is no remediation path available for previous versions.
Proposed Changes:
Update the dependency on nth-check to version 2.0.1 or later in the package.json file.
Testing:
After updating the dependency, ensure that all existing functionality continues to work as expected. Perform thorough testing to verify that the vulnerability has been mitigated.
The text was updated successfully, but these errors were encountered: