Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
DoS vulnerability via obsolete "css-what" version
See original GitHub issueThere is fresh a security advisory on css-what in cheerio v0.22 - https://www.npmjs.com/advisories/1754.
Audit report -
yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cheerio │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ cheerio > css-select > css-what │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1754 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Note that css-what version that is currently in use is v2.1 and forced bump to v5 breaks cheerio - so that’s not an option.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Issues · jonkemp/inline-css - GitHub
DoS vulnerability via obsolete "css-what" version. #104 opened on Jun 28, 2021 by prateekm21 · 2. Help ~ Question about options.url. #103 opened...
Read more >Regular Expression Denial of Service (ReDoS) in css-what
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via attribute parsing. Details. Denial of ...
Read more >Denial Of Service (DoS) Vulnerability in the css-what library (+ ...
A vulnerability in a direct dependency can be fixed by updating the version of the library in your project and rebuilding it. This...
Read more >Security Bulletin 02 Nov 2022
CVE Number Base Score Reference
CVE‑2021‑32679 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2021‑32679
CVE‑2021‑32688 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2021‑32688
CVE‑2021‑32765 8.8 https://nvd.nist.gov/vuln/detail/CVE‑2021‑32765
Read more >How to Fix the New Log4J DoS Vulnerability: CVE-2021-45105
The latest vulnerability affects Log4J version 2.16.0 and versions prior via a Denial of Service Attack. This exploit has been assigned a ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I am the maintainer of
css-what. The bug was introduced in https://github.com/fb55/css-what/commit/63cb253baf66a64094de8ecc167d41b4d4dee90bThis issue only affects css-what@4.0.0 and higher. I am trying to get the CVE updated to reflect this.
For now, I have published cheerio@1.0.0-rc.10, which includes the version update.