Intel

AIKIDO-2026-866435

inline-style-parser is vulnerable to Regular Expression Denial of Service (ReDoS)

Regular Expression Denial of Service (ReDoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

60

Medium Risk

This Affects:

JSinline-style-parser
0.1.0 - 0.2.8
Fixed in 0.2.9
Are you affected? Scan for Free

TL;DR

inline-style-parser strips CSS comments from declaration properties and values with a regular expression built from nested quantifiers and ambiguous alternation. When the parser processes an inline style string containing a crafted comment sequence, the regex engine enters catastrophic backtracking and blocks the single-threaded event loop. An application that parses untrusted CSS or inline style strings can be forced into a denial-of-service state by a short malicious input. The fix rewrites the comment-stripping regular expression into an unambiguous, linear-time pattern.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted CSS or inline style strings.

Background info

inline-style-parser is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 0.1.0 - 0.2.8.

How to fix this

Upgrade the inline-style-parser library to the patch version.