CVE-2022-31103

Description

### Impact All versions of lettersanitizer below 1.0.2 are affected by a denial of service issue when processing a CSS at-rule `@keyframes`. This package is depended on by [react-letter](https://github.com/mat-sz/react-letter), therefore everyone using react-letter is also at risk. ### Patches The problem has been patched in version 1.0.2. ### Workarounds There is no workaround besides upgrading. ### References The issue was originally reported in the react-letter repository: https://github.com/mat-sz/react-letter/issues/17 ### For more information If you have any questions or comments about this advisory: * Open an issue in [lettersanitizer](https://github.com/mat-sz/lettersanitizer/issues) * Email me at [[email protected]](mailto:[email protected])

How to fix CVE-2022-31103

To remediate CVE-2022-31103, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.2 or later

Is CVE-2022-31103 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-31103
• PATCHgithub.com/mat-sz/lettersanitizer
• WEBgithub.com/mat-sz/lettersanitizer/commit/96d3dfe2ef0465d47324ed4d13e91ba0816a173f
• WEBgithub.com/mat-sz/lettersanitizer/security/advisories/GHSA-7r3r-gq8p-v9jj