All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex. https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782 https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884 https://github.com/sasstools/scss-tokenizer/issues/45
Created gnome-shell-extension-material-shell tracking bugs for this issue: Affects: fedora-all [bug 2114795]
In the comment 0 there is an incorrect link to upstream issue. https://github.com/sasstools/scss-tokenizer/issues/45 is related to previous CVE-2021-23382 The correct upstream issue for the CVE-2022-25758 is: https://github.com/sasstools/scss-tokenizer/issues/48 Upstream fix is: https://github.com/sasstools/scss-tokenizer/pull/49