Regular expression Denial of Service in MooTools
Description
MooTools CSS selector parser is vulnerable to ReDoS, allowing denial of service via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MooTools CSS selector parser is vulnerable to ReDoS, allowing denial of service via crafted input.
Vulnerability
CVE-2021-32821 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the MooTools JavaScript library, affecting the CSS selector parser. The parser uses poorly constructed regular expressions that exhibit exponential backtracking when processing specially crafted input strings, causing CPU consumption that degrades performance or causes denial of service. This vulnerability is present across all known versions of MooTools [1][2].
Exploitation
An attacker can exploit this vulnerability by injecting a malicious string into a CSS selector at runtime. This attack surface is common in web applications that construct CSS selectors from user input, such as those using jQuery-style selectors. The attacker does not need authentication or special network position; any means of injecting data into a selector expression is sufficient. The vulnerability requires no additional privileges beyond the ability to influence selector input [1][2].
Impact
Successful exploitation leads to a denial of service condition. The ReDoS attack forces the regular expression engine into catastrophic backtracking, which can consume large amounts of CPU time, potentially causing the application or server to become unresponsive. This can disrupt availability for legitimate users [2].
Mitigation
No official patch is available for this issue. The MooTools project maintainers have classified this as a low-impact, wontfix issue due to the project's inactive status. Users are advised to migrate to alternative, actively maintained libraries or, if necessary, implement input sanitization or redos-safe regex alternatives in applications that rely on MooTools' selector parser [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mootoolsnpm | <= 1.5.2 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The CSS selector parser in MooTools uses a regular expression with inefficient complexity, leading to uncontrolled resource consumption."
Attack vector
An attacker can trigger this vulnerability by injecting a specially crafted string into a CSS selector at runtime. This is often possible in applications that use CSS selectors, such as those that leverage jQuery. The vulnerable regular expression can be exploited with a long string of characters, causing the regex engine to enter a state of excessive backtracking and resource exhaustion [ref_id=1].
Affected code
The vulnerability resides within MooTools' CSS selector parser. The issue stems from a regular expression that exhibits inefficient complexity, allowing for Regular Expression Denial of Service (ReDoS). An example provided shows a vulnerable regex /(\w+_)+(\d+)/ and a proposed fix that makes the inner repetition more specific [ref_id=1].
What the fix does
No patches are available for this issue. The advisory suggests modifying the regular expression to remove ambiguity, specifically by changing an inner repetition to match groups of letters that must end with an underscore. For example, a regex like /(\w+_)+(\d+)/ could be made safer by ensuring the inner repetition is more specific [ref_id=1].
Preconditions
- inputThe attacker must be able to inject a string into a CSS selector at runtime.
Reproduction
git clone git@github.com:mootools/mootools-core.git Run the below with node. var Slick = require("./mootools-core/Source/Slick/Slick.Parser.js"); Slick.Slick.parse(":a(''''''''''''''''''''''''''''''''''''''''''''''''''''''");
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.