CVE-2021-33587 Overview
The css-what package versions 4.0.0 through 5.0.0 for Node.js contains an algorithmic complexity vulnerability in its CSS selector parsing functionality. The package does not ensure that attribute parsing maintains Linear Time Complexity relative to the size of the input, which can be exploited by an attacker to cause excessive CPU consumption and denial of service conditions.
Critical Impact
Applications using vulnerable versions of css-what can be rendered unresponsive through specially crafted CSS selector inputs, potentially causing service outages for web applications and Node.js services that depend on this widely-used npm package.
Affected Products
- css-what package versions 4.0.0 through 5.0.0 for Node.js
- NetApp E-Series Performance Analyzer
Discovery Timeline
- 2021-05-28 - CVE-2021-33587 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-33587
Vulnerability Analysis
This vulnerability is classified as an Algorithmic Complexity Attack, a form of denial of service where computational resources are exhausted through inputs that trigger worst-case algorithmic performance. The css-what package is a CSS selector parser that transforms CSS selector strings into Abstract Syntax Trees (ASTs) for further processing by other libraries in the JavaScript ecosystem.
The core issue lies in the attribute parsing logic, which fails to maintain linear time complexity relative to input size. When processing certain malformed or specially crafted CSS selector attribute strings, the parser can enter computational patterns that scale superlinearly (potentially quadratic or exponential) with input length. This allows attackers to submit relatively small malicious inputs that consume disproportionate CPU cycles.
The vulnerability is exploitable over the network without requiring authentication or user interaction, making it particularly dangerous for web-facing applications. While the attack does not compromise data confidentiality or integrity, it can completely disrupt service availability.
Root Cause
The root cause of CVE-2021-33587 is improper algorithmic design in the attribute parsing component of css-what. The parsing logic does not implement appropriate bounds checking or optimization to ensure that processing time scales linearly with input size. This violates security best practices for parser design, where untrusted input should never be able to trigger disproportionate resource consumption.
The vulnerability specifically manifests in how the parser handles attribute selectors within CSS strings. When encountering certain character sequences or patterns in attribute values, the algorithm enters inefficient execution paths that dramatically increase processing time.
Attack Vector
The attack vector for this vulnerability is network-based. An attacker can exploit the vulnerability by submitting malicious CSS selector strings to any application endpoint that processes user-supplied CSS selectors using the vulnerable css-what package. Common attack scenarios include:
The attacker crafts CSS selector strings with specific attribute patterns designed to trigger worst-case parsing performance. These malicious selectors are then submitted to web applications through form fields, API endpoints, or any input mechanism that feeds into css-what parsing functions. Even a single malicious request can monopolize server CPU resources, and sustained attacks can render the application completely unresponsive.
Applications that use css-what as a transitive dependency through higher-level CSS processing libraries (such as css-select or cheerio) are also affected, expanding the potential attack surface significantly.
Detection Methods for CVE-2021-33587
Indicators of Compromise
- Abnormal CPU utilization spikes in Node.js processes handling CSS parsing operations
- Increased response times or timeouts on endpoints that process CSS selectors
- Memory consumption anomalies in application servers running css-what-dependent code
- Error logs showing parsing operations that fail to complete within expected timeframes
Detection Strategies
- Implement application performance monitoring (APM) to detect unusual latency in CSS parsing operations
- Deploy dependency scanning tools to identify vulnerable css-what versions across your codebase and container images
- Configure resource monitoring alerts for Node.js processes with thresholds for CPU and memory consumption
- Review package-lock.json and yarn.lock files to identify both direct and transitive dependencies on css-what
Monitoring Recommendations
- Set up automated dependency auditing using npm audit or similar tools in CI/CD pipelines
- Monitor application logs for patterns indicating parsing operations taking longer than expected
- Implement rate limiting and request timeout policies on endpoints that accept CSS selector input
- Deploy SentinelOne Singularity Platform to detect anomalous process behavior and resource exhaustion attacks
How to Mitigate CVE-2021-33587
Immediate Actions Required
- Upgrade css-what to version 5.0.1 or later, which contains the fix for this vulnerability
- Run npm audit or yarn audit to identify all instances of vulnerable css-what versions in your dependency tree
- Review transitive dependencies by checking if higher-level packages (css-select, cheerio, etc.) have updated their css-what dependency
- Implement input validation and size limits on any user-supplied CSS selector strings
Patch Information
The vulnerability has been patched in css-what version 5.0.1. The fix ensures that attribute parsing maintains linear time complexity regardless of input characteristics. Organizations should update to this version or later as soon as possible.
For detailed patch information, see the GitHub Release v5.0.1. Additional advisories are available from NetApp Security Advisory NTAP-20210706-0007 and Debian LTS Announce March 2023.
Workarounds
- Implement strict input validation to reject abnormally long or complex CSS selector strings before they reach the parser
- Apply request timeouts on endpoints that process CSS selectors to prevent resource exhaustion
- Use rate limiting to restrict the number of CSS parsing requests from individual clients
- Consider sandboxing CSS parsing operations in separate worker processes with resource limits
# Update css-what to patched version
npm update css-what@^5.0.1
# Alternatively, force resolution in package.json
# Add to package.json resolutions (for yarn) or overrides (for npm):
# "resolutions": { "css-what": "^5.0.1" }
# Audit dependencies for vulnerable versions
npm audit --production
# Check specific package version installed
npm list css-what
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
