Reddit: Regular Expression Denial of Service vulnerability


## Summary: The vulnerability I have found is classified as a Regular Expression Denial of Service. While inspecting the source code file [RealtimeGQLSubscriptionAsync.js](https://www.redditstatic.com/desktop2x/RealtimeGQLSubscriptionAsync.226119a9ae841bb563eb.js) I came across the node_module subscriptions-transport-ws (See Screenshot 1). The search result of the [subscriptions-transport-ws package](https://www.npmjs.com/package/subscriptions-transport-ws) on npmjs.com displayed a large deprecation warning at the top of the page (See Screenshot 2) so I decided to research further. The read-me file within the package [github repository](https://github.com/apollographql/subscriptions-transport-ws) states that the package has been largely unmaintained since 2018 and that users should migrate to graphql-ws (See Screenshot 3). Doing a [quick search in the issues tab](https://github.com/apollographql/subscriptions-transport-ws/issues?q=is%3Aissue+is%3Aclosed+vulnerability) for the keyword "vulnerability" I came across an issue where the github user PabloJomer pointed out that the package.json lists a vulnerable dependency called ws (See Screenshot 4) The vulnerable package is listed on the NIST National Vulnerability Database under [CVE-2021-32640](https://nvd.nist.gov/vuln/detail/CVE-2021-32640) with a Base Score of 5.3. Further details and a PoC can be found on the Snyk Vulnerability database located [here](https://security.snyk.io/vuln/SNYK-JS-WS-1296835) (See Screenshot 5). The policy has some conflicting information so I wasn't exactly sure about what I should do about this vulnerability. The out-of-scope section states "Previously known vulnerabilities without a working Proof of Concept" but two sections later it is states to not attempt denial of services attacks. (See screenshot 5) The vulnerability I have found is a Regular expression denial of service but I am strictly forbidden from attempting any denial of service attacks. I believe I have clearly outlined the existence of a vulnerable dependency within you domain and if given the opportunity I could successfully execute the PoC vulnerability as described in the snyk link mentioned above. ## Impact: Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process. The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down. ## Supporting Material/References: [OWASP - Regular expression Denial of Service - ReDos](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) ## Impact The ReDos vulnerability can be used to take down your entire site.