Bug 2383844 (CVE-2025-8263)

Summary: CVE-2025-8263 prettier: prettier parseNestedCSS ReDoS
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aazores, abarbaro, adkhan, adudiak, alcohan, anjoseph, anpicker, asoldano, bbaranow, bmaxwell, bparees, brasmith, brian.stansberry, caswilli, cdewolf, chfoley, cmah, cochase, darran.lofthouse, dbosanac, dhanak, dkreling, dosoudil, dranck, drosa, dsimansk, eaguilar, ebaron, fjuma, gmalinko, gotiwari, gparvin, gryan, gzaronik, haoli, hasun, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jcammara, jchui, jfula, jgrulich, jhe, jhorak, jhuff, jkoehler, jmitchel, jneedle, jolong, jowilson, jprabhak, jreimann, jrokos, jscholz, jwendell, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lgao, lphiri, mabashia, matzew, mdessi, mnovotny, mosmerov, mrizzi, msochure, msvehla, mvyas, mwringe, nboldt, ngough, njean, nwallace, nyancey, omaciel, ometelka, owatkins, pahickey, pbraun, pcattana, pdelbell, pesilva, pjindal, pmackay, psrna, ptisnovs, rcernich, rhaigner, rstancel, rstepani, sausingh, sdawley, sfeifer, shvarugh, simaishi, smaestri, smcdonal, stcannon, swoodman, syedriko, teagle, tfister, thavo, tom.jenkinson, tpopela, ttakamiy, veshanka, wtam, xdharmai, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A regular expression denial of service flaw has been discovered in the prettier code formatter tool. This flaw allows and attacker who has access to input source files to induce a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2384000, 2384001, 2384003, 2384006, 2384007, 2384008, 2384010, 2384012, 2384016, 2384020, 2384021, 2384023, 2384024, 2384028, 2384002, 2384004, 2384005, 2384014, 2384015, 2384017, 2384018, 2384019, 2384022, 2384025, 2384026, 2384027, 2384029    
Bug Blocks:    

Description OSIDB Bzimport 2025-07-28 08:01:44 UTC 
A vulnerability was found in prettier up to 3.6.2. It has been declared as problematic. Affected by this vulnerability is the function parseNestedCSS of the file src/language-css/parser-postcss.js. The manipulation of the argument node leads to inefficient regular expression complexity. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.