CVE-2023-52081

Name of the Vulnerable Software and Affected Versions ffcss versions prior to 0.2.0

Description The issue arises from the function lookupPreprocess() which applies transformations to a string by disabling characters in the regex [- .]. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex [- .]. This can be achieved with equivalent Unicode characters, resulting in omitted characters being reintroduced. The lookupPreprocess() function is used to search for themes loosely, and the actual security impact is classified as low.

Recommendations For versions prior to 0.2.0, update to version 0.2.0 to resolve the issue. As a temporary workaround, consider modifying the lookupPreprocess() function to initially perform Unicode normalization and then apply the rest of the validations. Restrict access to user-controlled data coming from command args to minimize the risk of exploitation.