Inefficient Regular Expression Complexity in chatwoot/chatwoot

Valid
Reported on Jun 30th 2021

✍️ Description

If we want to use Regex in our match or search or replace or ... functions, we must be sanitize this function's inputs. if an attacker capable to inject any Regex or abuse the bad Regexes that used in our codes, then the ReDoS vulnerability appear and according to "freezing the web a study of redos vulnerabilities in javascript-based web servers" Paper if the web server be JavaScript-based and also be Node.js, this probability exists that one user can do DoS attack that affect on response time of all users from server as Node.js has a single-thread functionality.

🕵️‍♂️ Proof of Concept

// payload
a= "<style fdasfsafafasdfasfasdfs<\/style> "

According to [1] Permalink the mentioned line is vulnarable to ReDoS and also the stripStyleCharacters method used in [2] Permalink and at the end the bad regex used in Conversion section of Chatwoot. I started send message from my Gmail to the created mail address of conversations section and I exponentially increase the lenght of payload like this: a, 2*a , 4*a , ... 200*a and measure the notification time on both my other email and conversation box and obviously it is take much more time in 200*a payload. you can test it with your own way.

💥 Impact

This vulnerability is capable of Direct impact on Availably of whole system.

We have contacted a member of the chatwoot team and are waiting to hear back a month ago
We have contacted a member of the chatwoot team and are waiting to hear back a month ago
We have contacted a member of the chatwoot team and are waiting to hear back a month ago
amammad modified their report
a month ago
Jamie Slome
19 days ago

Admin


Hey all, just a heads up that we adjusted the CWE to Inefficient Regular Expression Complexity on request from the disclosing researcher.

amammad
13 days ago

Researcher


Hi dear chatwoot's team I just want to know that you receive this report and if I can help you more and more, just tell me now. have a good developer days :)

Pranav Raj S validated this vulnerability 11 days ago
amammad has been awarded the disclosure bounty
$80
The fix bounty is now up for grabs
$20
Pranav Raj S confirmed that a fix has been merged on aa7db9 11 days ago
The fix bounty has been dropped
$20
amammad
11 days ago

Researcher


Thank you so much, dear Pranav. I encourage to find more bugs in your application.

Jamie Slome
10 days ago

Admin


Waiting to publish the CVE:

https://github.com/CVEProject/cvelist/pull/2281