Listen to this Post
How the Vulnerability Works
The vulnerability exists in `taro/packages/css-to-react-native/src/index.js` where inefficient regular expressions are used to parse CSS into React Native styles. Attackers can craft malicious CSS strings with nested patterns (e.g., ((((a)))) that trigger catastrophic backtracking in the regex engine. This causes exponential CPU consumption, leading to denial of service. Since the parsing occurs during style conversion, remote attackers can exploit this by supplying malicious CSS via user-controlled inputs.
DailyCVE Form
Platform: Taro (CSS-to-React-Native)
Version: <= 4.1.1
Vulnerability: ReDoS
Severity: Moderate
Date: Jun 9, 2025
Prediction: Patch expected by Jun 16, 2025
What Undercode Say:
Exploitation
1. Payload Example:
.exploit { padding: ((((a)))); }
2. Triggering the Bug:
const { transform } = require('taro-css-to-react-native');
transform('exploit { padding: ((((a)))); }'); // High CPU usage
Protection
1. Upgrade:
npm update [email protected]
2. Regex Sanitization:
function sanitizeCSS(css) {
return css.replace(/((|)|){5,}/g, ''); // Block nested patterns
}
Detection
1. Audit Dependencies:
npm audit --production
2. Log Analysis:
grep -r "css-to-react-native" /var/log/app | grep "high CPU"
Mitigation Workaround
// Patch until update
const oldTransform = require('taro-css-to-react-native').transform;
module.exports.transform = (css) => {
if (/((|)|){5,}/.test(css)) throw new Error("ReDoS attempt");
return oldTransform(css);
};
References
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
