Skip to content

Quality: Potential ReDoS vulnerability in regex-based CSS function parsing#627

Open
tomaioo wants to merge 1 commit into
Automattic:masterfrom
tomaioo:improve/quality/potential-redos-vulnerability-in-regex-b
Open

Quality: Potential ReDoS vulnerability in regex-based CSS function parsing#627
tomaioo wants to merge 1 commit into
Automattic:masterfrom
tomaioo:improve/quality/potential-redos-vulnerability-in-regex-b

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 20, 2026

Copy link
Copy Markdown

Summary

Quality: Potential ReDoS vulnerability in regex-based CSS function parsing

Problem

Severity: High | File: lib/variables.js:L12

In lib/variables.js, the replaceVariables function uses a regex /([a-z\-]+)\s*\(\s*([^\(\)]*?)\s*(?:,\s*([^\(\)]*?)\s*)?\s*\)/i to parse CSS function calls. This regex contains nested quantifiers and backreferences that could be exploited with maliciously crafted CSS input, causing catastrophic backtracking and denial of service. The regex is applied in a while loop with exec, compounding the risk. The [^\(\)]*? pattern with the surrounding optional groups creates multiple paths for exponential backtracking when encountering nested or malformed parentheses.

Solution

Replace the hand-rolled regex parser with a proper CSS value tokenizer, or at minimum add input length limits and timeout protection. Consider using a well-tested CSS parsing library instead of regex for this task. If regex must be used, simplify the pattern to avoid nested quantifiers and test with ReDoS detection tools.

Changes

  • lib/variables.js (modified)

In `lib/variables.js`, the `replaceVariables` function uses a regex `/([a-z\-]+)\s*\(\s*([^\(\)]*?)\s*(?:,\s*([^\(\)]*?)\s*)?\s*\)/i` to parse CSS function calls. This regex contains nested quantifiers and backreferences that could be exploited with maliciously crafted CSS input, causing catastrophic backtracking and denial of service. The regex is applied in a `while` loop with `exec`, compounding the risk. The `[^\(\)]*?` pattern with the surrounding optional groups creates multiple paths for exponential backtracking when encountering nested or malformed parentheses.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant