Regular Expression Denial of Service (ReDoS)

Affecting debug package, versions <2.6.9 || >=3.0.0 <3.1.0

low severity

Overview

debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..

debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.

Remediation

Upgrade debug to version 2.6.9, 3.1.0 or higher.

References

Snyk patch available for versions:

Do your applications use this vulnerable package?

Credit
Cristian-Alexandru Staicu
CWE
CWE-400
Snyk ID
npm:debug:20170905
Disclosed
05 Sep, 2017
Published
26 Sep, 2017