Search criteria
2 vulnerabilities by taro
CVE-2025-5896 (GCVE-0-2025-5896)
Vulnerability from cvelistv5 – Published: 2025-06-09 20:31 – Updated: 2025-06-10 15:30
VLAI?
Title
tarojs taro index.js redos
Summary
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Credits
mmmsssttt (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5896",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:23:00.785444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:17.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NervJS/taro/pull/17619"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "taro",
"vendor": "tarojs",
"versions": [
{
"status": "affected",
"version": "4.1.0"
},
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "In tarojs taro bis 4.1.1 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei taro/packages/css-to-react-native/src/index.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Ein Aktualisieren auf die Version 4.1.2 vermag dieses Problem zu l\u00f6sen. Der Patch wird als c2e321a8b6fc873427c466c69f41ed0b5e8814bf bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:31:07.141Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311668 | tarojs taro index.js redos",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.311668"
},
{
"name": "VDB-311668 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311668"
},
{
"name": "Submit #585796 | @tarojs/taro 4.1.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585796"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/NervJS/taro/pull/17619"
},
{
"tags": [
"patch"
],
"url": "https://github.com/NervJS/taro/commit/c2e321a8b6fc873427c466c69f41ed0b5e8814bf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/NervJS/taro/releases/tag/v4.1.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:58:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "tarojs taro index.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5896",
"datePublished": "2025-06-09T20:31:07.141Z",
"dateReserved": "2025-06-09T06:53:29.593Z",
"dateUpdated": "2025-06-10T15:30:17.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-3804 (GCVE-0-2021-3804)
Vulnerability from cvelistv5 – Published: 2021-09-17 06:15 – Updated: 2024-08-03 17:09
VLAI?
Title
Inefficient Regular Expression Complexity in nervjs/taro
Summary
taro is vulnerable to Inefficient Regular Expression Complexity
Severity ?
7.5 (High)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nervjs | nervjs/taro |
Affected:
unspecified , ≤ 3.3.8
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:09:09.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/0ebe85e6-cc85-42b8-957e-18d8df277414"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nervjs/taro/commit/acadb6c826ba57f2030a626f1de4f7b4608fcdb5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nervjs/taro",
"vendor": "nervjs",
"versions": [
{
"lessThanOrEqual": "3.3.8",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "taro is vulnerable to Inefficient Regular Expression Complexity"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-17T06:15:21",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/0ebe85e6-cc85-42b8-957e-18d8df277414"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nervjs/taro/commit/acadb6c826ba57f2030a626f1de4f7b4608fcdb5"
}
],
"source": {
"advisory": "0ebe85e6-cc85-42b8-957e-18d8df277414",
"discovery": "EXTERNAL"
},
"title": "Inefficient Regular Expression Complexity in nervjs/taro",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-3804",
"STATE": "PUBLIC",
"TITLE": "Inefficient Regular Expression Complexity in nervjs/taro"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "nervjs/taro",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "3.3.8"
}
]
}
}
]
},
"vendor_name": "nervjs"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "taro is vulnerable to Inefficient Regular Expression Complexity"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/0ebe85e6-cc85-42b8-957e-18d8df277414",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/0ebe85e6-cc85-42b8-957e-18d8df277414"
},
{
"name": "https://github.com/nervjs/taro/commit/acadb6c826ba57f2030a626f1de4f7b4608fcdb5",
"refsource": "MISC",
"url": "https://github.com/nervjs/taro/commit/acadb6c826ba57f2030a626f1de4f7b4608fcdb5"
}
]
},
"source": {
"advisory": "0ebe85e6-cc85-42b8-957e-18d8df277414",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-3804",
"datePublished": "2021-09-17T06:15:21",
"dateReserved": "2021-09-16T00:00:00",
"dateUpdated": "2024-08-03T17:09:09.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}