VDB
KO
MEDIUM

GHSA-x4hg-hfwf-p9mw

@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation

Details

## Summary

The `HTMLInputElement.checkValidity()` method constructed a `RegExp` directly from the user-controlled `pattern` property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.

## Fix

Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on `main`. Added: - Pattern length limit (1024 characters) - Nested quantifier detection (`hasNestedQuantifiers`) that rejects patterns like `(a+)+` before constructing the regex - Patterns exceeding limits are treated as non-matching (safe default)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/nogginlessdom
Introduced in: 0 Fixed in: 0.0.22
Fix npm install @asymmetric-effort/nogginlessdom@0.0.22

References