High vulnerability ReDoS in normalize-url

[corradin]

There is a Regular Expression Denial of Service (ReDoS) vulnerability in the normalize-url dependency.

This is the dependency tree:

1. react-components@0.1.0 › react-scripts@4.0.3 › mini-css-extract-plugin@0.11.3 › normalize-url@1.9.1
2. react-components@0.1.0 › react-scripts@4.0.3 › optimize-css-assets-webpack-plugin@5.0.4 › cssnano@4.1.11 › cssnano-preset-default@4.0.8 › postcss-normalize-url@4.0.1 › normalize-url@3.3.0

The vulnerability has been fixed in normalize-url versions: 6.0.1, 5.3.1 and 4.5.1

1. The latest version (1.6.0) of mini-css-extract-plugin doesn't have a dependency on normalize-url anymore so including that one in react-scripts would solve this vulnerability issue.
2. The latest version of postcss-normalize-url still uses the unfixed version of normalize-url (4.5.0). This can be fixed by using the latest version (6.6.0) of optimize-css-assets-webpack-plugin.

[pfg-matt]

Many are facing this exact issue.
I work for an AppSec department at a global financial services corporation that has small armies of compliance personnel who care a lot about the collection of postcss vulnerabilities of which this is one. In the current context, that results in largely wasted/unproductive work.
Across the globe, the development teams that I support must deploy safe-enough software. Even under the best of conditions, this is a serious challenge.
Please invest the effort to get this upgrade prioritized, completed and deployed. There are real, material costs (to say nothing about the exploit risks) to the extended period required to purge the broader collection of postcss-related vulnerabilities https://github.com/facebook/create-react-app/issues?q=is%3Aissue+is%3Aopen++postcss.

[davidhjones]

Related issue #11012