Inefficient Regular Expression Complexity in Taro by TaroJS
CVE-2025-5896

5.3MEDIUM

Key Information:

Vendor: Tarojs
Status: Taro
Vendor: CVE Published:; 9 June 2025

What is CVE-2025-5896?

A vulnerability exists in versions of Taro by TaroJS up to 4.1.1, specifically within the 'taro/packages/css-to-react-native/src/index.js' file. This issue arises from inefficient regular expression complexity, which could potentially be exploited remotely. Users are strongly advised to upgrade to version 4.1.2, which includes a critical patch (commit ID: c2e321a8b6fc873427c466c69f41ed0b5e8814bf) to address this vulnerability and enhance overall application security.

Affected Version(s)

taro 4.1.0

taro 4.1.1

References

https://vuldb.com/?id.311668

vdb-entry

https://vuldb.com/?ctiid.311668

signaturepermissions-required

https://vuldb.com/?submit.585796

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2025
Vulnerability Reserved
Jun 9, 2025

Credit

mmmsssttt (VulDB User)

Tarojs

What is CVE-2025-5896?

Affected Version(s)

References

CVSS V4

Timeline

Credit