CVE-2022-25758 (High) detected in scss-tokenizer-0.2.3.tgz - autoclosed

[mend-for-github-com]

CVE-2022-25758 - High Severity Vulnerability

Vulnerable Library - scss-tokenizer-0.2.3.tgz

A tokenzier for Sass' SCSS syntax

Library home page: https://registry.npmjs.org/scss-tokenizer/-/scss-tokenizer-0.2.3.tgz

Dependency Hierarchy:

• @osd/ui-framework-1.0.0.tgz (Root Library)
  • node-sass-6.0.1.tgz
    • sass-graph-2.2.5.tgz
      • ❌ scss-tokenizer-0.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

Publish Date: 2022-07-01

URL: CVE-2022-25758

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-25758

Release Date: 2022-07-01

Fix Resolution: no_fix

[kavilla]

yarn why scss-tokenizer
yarn why v1.22.18
[1/4] Why do we have the module "scss-tokenizer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "scss-tokenizer@0.2.3"
info Reasons this module exists
   - "_project_#@osd#ui-framework#node-sass#sass-graph" depends on it
   - Hoisted from "_project_#@osd#ui-framework#node-sass#sass-graph#scss-tokenizer"

[ananzh]

• main has no issue
• 2.x is on 0.2.3

yarn why scss-tokenizer
yarn why v1.22.19
[1/4] Why do we have the module "scss-tokenizer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "scss-tokenizer@0.2.3"
info Reasons this module exists
   - "_project_#@osd#optimizer#node-sass#sass-graph" depends on it
   - Hoisted from "_project_#@osd#optimizer#node-sass#sass-graph#scss-tokenizer"
info Disk size without dependencies: "432KB"
info Disk size with unique dependencies: "1.27MB"
info Disk size with transitive dependencies: "1.27MB"
info Number of shared dependencies: 2
Done in 1.04s.

[ananzh]

Possible solutions:

• Bump node-sass to 7.0.3
  The latest sass-graph @4.0.1
  Bump scss-tokenizer@^0.4.3 (@Ohiekkar, [Rename] telemtry-collection-manager plugin #149)

  This is kicked in node-sass@7.0.3
  Bump sass-graph from 4.0.0 to ^4.0.1

• resolve scss-tokenizer to 0.4.3

[ananzh]

• Option 1

yarn start error

Node Sass version 7.0.3 is incompatible with ^4.0.0 || ^5.0.0 || ^6.0.0.
       │          Error: Node Sass version 7.0.3 is incompatible with ^4.0.0 || ^5.0.0 || ^6.0.0.
       │              at getSassImplementation (/home/ubuntu/work/OpenSearch-Dashboards/node_modules/sass-loader/dist/utils.js:92:31)

This is because sass-loader 10.2.1 doesn't support node-sass v7. Could try to bump it 10.4.1:
support node-sass v8 (webpack/sass-loader#1103) (88735bc)