Exponential ReDoS (CVE-2021-23424)

[b-c-ds]

Posting here as unable to contact maintainer.

Doyensec Vulnerability Advisory

• Regular Expression Denial of Service (ReDoS) in ansi-html
• Affected Product: ansi-html <= 0.0.7
• Vendor: https://github.com/Tjatse
• Severity: Low
• Vulnerability Class: Denial of Service
• Status: Open
• Author(s): Ben Caller (Doyensec)

SUMMARY

The npm package ansi-html uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS).
If an attacker provides a malicious string, ansi-html will get stuck processing the input for an extremely long time.

TECHNICAL DESCRIPTION

The vulnerable regular expression is

\033\[(\d+)*m

ansi-html/index.js

Line 62 in 99ec49e

var ret = text.replace(/\033\[(\d+)*m/g, function (match, seq) {

Due to the (\d+)* part, this regular expression has catastrophic backtracking when given a long string of digits.

The behaviour occurs as long as the digits are not followed immediately by an 'm'.

The complexity is exponential: increasing the length of the malicious string by one makes processing take about twice as long.

REPRODUCTION STEPS

In nodejs, run:

require('ansi-html')('\x1b[0m\x1b[' + '0'.repeat(35))

Notice that node hangs at 100% CPU. Increasing the number of spaces increases the processing time.

On my laptop that would take three minutes to complete, whereas

require('ansi-html')('\x1b[0m\x1b[' + '0'.repeat(53))

would take just over one year to complete.

REMEDIATION

Remove the asterisk from the regular expression on line 62.

=

Doyensec (www.doyensec.com) is an independent security research and development company focused on vulnerability discovery and remediation. We work at the intersection of software development and offensive engineering to help companies craft secure code.

Copyright 2021 by Doyensec LLC. All rights reserved.

Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting
it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided
that due credit is given. The information in the advisory is believed to be accurate at the time of publishing based on
currently available information, and it is provided as-is, as a free service to the community by Doyensec LLC. There are
no warranties with regard to this information, and Doyensec LLC does not accept any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this information.

[krishnaUIDev]

Looks like this package is not accepting new merge requests and not in maintenance ☹️

[SymbioticKilla]

@Tjatse @glenjamin @danfuzz Any chance to fix this issue?

[glenjamin]

I am not a maintainer of this project.

[danfuzz]

Me neither; sorry!

[graniczny]

+1 any chance of fixing it @Tjatse ?

[mahdyar]

Okay, I published the fixed version to npm. It's called ansi-html-community.
The repo: @mahdyar/ansi-html-community.