CVE-2022-24373: 
JavaScript vulnerability analysis and mitigation

The vulnerability CVE-2022-24373 affects the react-native-reanimated package versions before 3.0.0-rc.1. This security flaw is identified as a Regular Expression Denial of Service (ReDoS) vulnerability, which was discovered due to improper usage of regular expressions in the package's color parsing functionality. The vulnerability was disclosed on July 13, 2022, and was officially published on September 29, 2022 (Snyk DB).

The vulnerability stems from a problematic regular expression implementation in the Colors.js parser. The vulnerable regex pattern ^[-+]?\d*.?\d+$ could be exploited to cause catastrophic backtracking, leading to excessive CPU consumption. The vulnerability was assigned a CVSS score of 5.3 (medium) by Snyk, with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (Snyk DB).

When exploited, this vulnerability can cause performance degradation or service interruptions by forcing the application to process a maliciously crafted input that triggers the vulnerable regular expression pattern. This results in excessive CPU consumption, potentially leading to partial availability issues of the affected service (Snyk DB).

The vulnerability was fixed by updating the regular expression pattern to [-+]?\d*(?:.\d*)?, which prevents catastrophic backtracking. Users should upgrade react-native-reanimated to version 3.0.0-rc.1 or higher to address this vulnerability. The fix was implemented in PR #3382 and included in the 3.0.0-rc.1 release (GitHub Release).