Vulnerability Details CVE-2022-25758
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 54.7%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/sasstools/scss-tokenizer/issues/45
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://github.com/sasstools/scss-tokenizer/issues/45
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
Products affected by CVE-2022-25758
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.0.1
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.1.0
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.1.1
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.1.2
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.2.0
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.2.1
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.2.2
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.2.3
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.3.0
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.4.0
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.4.1
-
cpe:2.3:a:scss-tokenizer_project:scss-tokenizer:0.4.2