CVE-2022-21222 is a vulnerability classified as a Regular Expression Denial of Service (ReDoS) affecting the css-what package versions prior to 2.1.3. Css-what is a JavaScript library used to parse CSS selectors, commonly utilized in various web development tools and frameworks. The vulnerability arises from an insecure regular expression defined in the re_attr variable within the index.js file. This regular expression can be exploited by an attacker to cause excessive backtracking during the parsing process when the parse function is invoked with specially crafted input. The excessive backtracking leads to high CPU consumption, effectively resulting in a denial of service condition where the affected application becomes unresponsive or significantly degraded in performance. The CVSS v3.1 base score for this vulnerability is 5.3, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P) shows that the attack can be performed remotely over the network without any privileges or user interaction, impacting availability only. No known exploits are reported in the wild, and no official patches are linked, but upgrading to css-what version 2.1.3 or later is recommended to mitigate the issue. The vulnerability is categorized under CWE-1333, which relates to inefficient regular expressions causing denial of service.

For European organizations, the impact of this vulnerability can vary depending on the extent to which css-what is integrated into their software stacks. Since css-what is often a dependency in web development tools and frameworks, any web-facing application or service that uses vulnerable versions could be susceptible to denial of service attacks. This could lead to service outages, degraded user experience, and potential disruption of business operations. Particularly, organizations providing web services, SaaS platforms, or internal tools relying on JavaScript-based CSS parsing may face availability issues if targeted. While the vulnerability does not compromise confidentiality or integrity, the denial of service could be exploited by attackers to cause downtime or to amplify other attack vectors by distracting security teams. Given the remote and unauthenticated nature of the exploit, threat actors can attempt attacks without prior access, increasing the risk profile. However, the absence of known exploits in the wild suggests that immediate widespread impact is limited but vigilance is necessary.

European organizations should perform an inventory of their software dependencies to identify usage of the css-what package, especially versions prior to 2.1.3. Where found, upgrading to version 2.1.3 or later is the most effective mitigation. If upgrading is not immediately feasible, organizations should consider implementing input validation and sanitization to limit the complexity and length of CSS selectors processed by the parse function, reducing the risk of triggering the ReDoS condition. Additionally, deploying runtime protections such as CPU usage monitoring and rate limiting on services that parse CSS selectors can help detect and mitigate potential exploitation attempts. Incorporating Web Application Firewalls (WAFs) with custom rules to detect abnormal request patterns targeting CSS parsing endpoints may also provide a layer of defense. Finally, organizations should keep abreast of updates from css-what maintainers and security advisories to apply patches promptly.