GMS-2019-74: Regular Expression Denial of Service in clean-css

June 5, 2019 (updated August 31, 2020)

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 4.1.11 or higher.

References

github.com/advisories/GHSA-wxhq-pm8v-cw75
github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3

Code Behaviors & Features

Detect and mitigate GMS-2019-74 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →