GHSA-x4hg-hfwf-p9mw
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Details
## Summary
The `HTMLInputElement.checkValidity()` method constructed a `RegExp` directly from the user-controlled `pattern` property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.
## Fix
Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on `main`. Added: - Pattern length limit (1024 characters) - Nested quantifier detection (`hasNestedQuantifiers`) that rejects patterns like `(a+)+` before constructing the regex - Patterns exceeding limits are treated as non-matching (safe default)
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.0.22 npm install @asymmetric-effort/nogginlessdom@0.0.22