CVE-2022-24373 is a Regular Expression Denial of Service (ReDoS) vulnerability found in the react-native-reanimated package, specifically in versions prior to 3.0.0-rc.1. The vulnerability arises from the improper use of a regular expression within the Colors.js parser component of the library. React-native-reanimated is a widely used animation library for React Native applications, enabling smooth and complex animations on mobile platforms. The ReDoS vulnerability occurs when an attacker crafts input that causes the regular expression engine to consume excessive CPU resources, leading to a denial of service by significantly slowing down or freezing the application. This vulnerability does not affect confidentiality or integrity but impacts availability by causing resource exhaustion. The CVSS 3.1 base score is 5.3 (medium severity), reflecting that the attack can be launched remotely without authentication or user interaction, with low attack complexity. However, the impact is limited to availability degradation. No known exploits are currently reported in the wild. The vulnerability is identified under CWE-1333, which relates to inefficient regular expressions causing performance issues. Since react-native-reanimated is a client-side library used in mobile apps, exploitation would require the attacker to influence input processed by the vulnerable regular expression, potentially via crafted data or animations. The vulnerability was published on September 30, 2022, and affects unspecified versions before 3.0.0-rc.1. No official patches or updates are linked in the provided data, but upgrading to 3.0.0-rc.1 or later is implied as a remediation step.

For European organizations, the impact of CVE-2022-24373 primarily concerns mobile applications built using React Native that incorporate the react-native-reanimated library. If these applications process untrusted input that triggers the vulnerable regular expression, they may experience degraded performance or temporary unavailability, potentially affecting user experience and operational continuity. This can be particularly impactful for customer-facing apps in sectors like finance, retail, healthcare, and public services where mobile app reliability is critical. While the vulnerability does not compromise data confidentiality or integrity, denial of service conditions could lead to reputational damage, customer dissatisfaction, and indirect financial losses. Enterprises relying on internally developed or third-party React Native apps should assess their exposure, especially if apps handle dynamic color parsing or animation inputs that could be manipulated. Given the medium severity and lack of known exploits, the immediate risk is moderate, but the potential for exploitation exists if attackers identify vectors to supply malicious input. Organizations with large user bases or critical mobile services in Europe should prioritize mitigation to maintain service availability and user trust.

1. Upgrade react-native-reanimated to version 3.0.0-rc.1 or later where the vulnerability is addressed. 2. Conduct a thorough code review of all React Native applications to identify usage of react-native-reanimated and assess whether untrusted input can reach the Colors.js parser. 3. Implement input validation and sanitization to restrict or sanitize inputs that influence color parsing or animation parameters, reducing the risk of triggering the vulnerable regular expression. 4. Employ runtime monitoring and performance profiling on mobile apps to detect unusual CPU usage patterns indicative of ReDoS attempts. 5. Coordinate with third-party app providers or development teams to ensure timely patching and updates. 6. Educate developers on secure coding practices related to regular expressions and input handling in React Native environments. 7. For critical applications, consider implementing fallback mechanisms or timeouts to prevent prolonged resource consumption due to regex processing. These steps go beyond generic advice by focusing on the specific vulnerable component, input control, and operational monitoring relevant to this ReDoS vulnerability.