Description
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
https://vuldb.com/?id.311668
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.311668
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.585796
Exploit, Issue Tracking, Patch issue-tracking
https://github.com/NervJS/taro/pull/17619
Release Notes patch
https://github.com/NervJS/taro/releases/tag/v4.1.2
Scores
CVSS v3
4.3
EPSS
0.0050
EPSS Percentile
38.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1333
CWE-400
Status
published
Products (2)
npm/taro-css-to-react-native
0 - 4.1.2npm
taro/taro
< 4.1.2
Published
Jun 09, 2025
Tracked Since
Feb 18, 2026