Inefficient Regular Expression Complexity in erxes/erxes

Valid

Reported on

Jul 24th 2021


✍️ Description

If we want to use Regex in our match or search or replace or … functions, we must be sanitize this function's inputs. if an attacker capable to inject any Regex or abuse the exponential Regexes that used in our codes, then the ReDoS vulnerability appear and according to "freezing the web a study of ReDoS vulnerabilities in JavaScript-based web servers" Paper if the web server be JavaScript-based and also be Node.js, this probability exists that one user can do DoS attack that affect on response time of all users from server as Node.js has a single-thread functionality.

I found this regex for matching with correct email that used when new users want to registering to site:

/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,10})+$/

Obviously you should not use multiple * or + after each other especially on of them in a group and the group also can be repeated like this part \w+)*.

first, I apologize to test a DoS vulnerability in your main website at erxes.io.

second after two or three time that sending following payload to server, the server going down for 30 second approximately [1].

fddfadsfasdflkfjasdkfsdfadfadfadjlfsad@mail.c

again, I apologize to you.

💥 Impact

This vulnerability is capable of make high damage on server.

[1] https://imgur.com/9mQyNBX

amammad
4 months ago

Researcher


@admin hi dear huntr team

this is a critical vulnerability as you see in picture the server with only a small payload going down for 30 second. plz immediately find out a way to connect to maintainers

Ziding Zhang
4 months ago

Admin


We haven't got a response from them yet - but you can see the issue here and follow up with them in another way if you have one.

We have contacted a member of the erxes team and are waiting to hear back 2 months ago
erxes/erxes maintainer validated this vulnerability a month ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
erxes/erxes maintainer confirmed that a fix has been merged on 91a90c a month ago
The fix bounty has been dropped