CVE-2021-32821 Regular expression Denial of Service in MooTools

2023-01-0300:00:00

CWE-400

GitHub_M

www.cve.org

cve-2021-32821

mootools

javascript

redos

css selector parser

denial of service

CVSS3

6.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.2%

JSON

MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite common with e.g. jQuery CSS selectors. No patches are available for this issue.

CNA Affected

[
  {
    "vendor": "mootools",
    "product": "mootools-core",
    "versions": [
      {
        "version": "1.6.0",
        "status": "affected",
        "lessThanOrEqual": "1.6.0",
        "versionType": "custom"
      }
    ]
  }
]