CVE-2021-23382 Might apply?

Dear SCSS-Tokenizer Team, 

In scanning my node_modules for [Regular Expression Denial of Service (ReDoS) Affecting org.webjars.npm:postcss](https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641) and [CVE-2021-23382](https://nvd.nist.gov/vuln/detail/CVE-2021-23382)

I encountered scss-tokenizer with [previous-map.js](https://github.com/sasstools/scss-tokenizer/blob/master/src/previous-map.js#L34) with the same style regular expression that is cited in the CVE [commit](https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956). 

*postcss*

```
    return sourceMapString.match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1].trim()
```

*scss-tokenizer*

```
let match = css.match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)
```

It's slightly different, and maybe worth your time to double check.  

I hope this helps. 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-23382 Might apply? #45

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2021-23382 Might apply? #45

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions