GHSA-7r3r-gq8p-v9jj: Improper handling of CSS at-rules in lettersanitizer

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2022-31103

Improper handling of CSS at-rules in lettersanitizer

High severity GitHub Reviewed Published Jun 23, 2022 in mat-sz/lettersanitizer • Updated Jun 23, 2022

Vulnerability details Dependabot alerts 0

Package

npm lettersanitizer (npm)

Affected versions

< 1.0.2

Patched versions

1.0.2

Description

Impact

All versions of lettersanitizer below 1.0.2 are affected by a denial of service issue when processing a CSS at-rule @keyframes.

This package is depended on by react-letter, therefore everyone using react-letter is also at risk.

Patches

The problem has been patched in version 1.0.2.

Workarounds

There is no workaround besides upgrading.

References

The issue was originally reported in the react-letter repository: mat-sz/react-letter#17

For more information

If you have any questions or comments about this advisory:

• Open an issue in lettersanitizer
• Email me at [email protected]

References

• GHSA-7r3r-gq8p-v9jj
• mat-sz/react-letter#17
• mat-sz/lettersanitizer@96d3dfe

mat-sz published the maintainer security advisory

Jun 22, 2022

Severity

High

Weaknesses

No CWEs

CVE ID

CVE-2022-31103

GHSA ID

GHSA-7r3r-gq8p-v9jj

Source code

mat-sz/lettersanitizer

Checking history

See something to contribute? Suggest improvements for this vulnerability.