Plateforme
nodejs
Composant
ansi-regex
Corrigé dans
5.0.1
6.0.1
CVE-2021-3807 describes a ReDoS (Regular Expression Denial of Service) vulnerability found in the ansi-regex package for Node.js. This vulnerability allows attackers to cause excessive CPU consumption by providing carefully crafted ANSI escape code strings, effectively leading to a denial-of-service condition. The vulnerability impacts versions of ansi-regex prior to 6.0.1, and a patch has been released to address the issue.
The core of the vulnerability lies in the inefficient regular expression complexity within ansi-regex. Attackers can exploit this by crafting malicious ANSI escape code strings containing repetitive patterns. When ansi-regex attempts to parse these strings, the regular expression engine enters a state of exponential backtracking, consuming significant CPU resources. This can lead to the Node.js process becoming unresponsive or crashing entirely, effectively denying service to legitimate users. The impact is particularly severe in applications that heavily rely on parsing ANSI escape codes, such as terminal emulators, logging tools, or command-line interfaces. The provided proof-of-concept demonstrates how a relatively short malicious string can trigger prolonged processing times, highlighting the potential for widespread disruption.
This vulnerability was publicly disclosed on September 20, 2021. A proof-of-concept (PoC) demonstrating the ReDoS vulnerability has been released, making exploitation relatively straightforward. While there are no confirmed reports of active exploitation campaigns targeting this specific vulnerability, the availability of a PoC increases the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV, but its ease of exploitation warrants monitoring.
Applications and services built on Node.js that utilize the ansi-regex package are at risk. This includes command-line tools, terminal emulators, logging utilities, and any application that processes ANSI escape codes. Specifically, projects using older versions of ansi-regex and those that do not perform input validation on ANSI escape code strings are particularly vulnerable.
• nodejs / server:
ps aux | grep ansi-regex | grep -v grep | awk '{print $2}' | xargs -n 1 pmap -x | grep -q 'ansi-regex.js'• nodejs / server:
journalctl -u node | grep -i "ansi-regex"• generic web:
Inspect Node.js application logs for unusually high CPU usage or errors related to ansi-regex parsing.
disclosure
poc
patch
Statut de l'Exploit
EPSS
0.21% (percentile 44%)
Vecteur CVSS
The primary mitigation for CVE-2021-3807 is to upgrade to version 6.0.1 or later of the ansi-regex package. This version includes a fix that addresses the inefficient regular expression complexity. If upgrading is not immediately feasible, consider implementing input validation to sanitize ANSI escape code strings before passing them to ansi-regex. This could involve limiting the length of the strings or filtering out suspicious patterns. Additionally, consider using a Web Application Firewall (WAF) or proxy that can detect and block requests containing potentially malicious ANSI escape codes. After upgrading, confirm the fix by attempting to parse a known malicious ANSI escape code string and verifying that CPU usage remains within acceptable limits.
Actualice la dependencia ansi-regex a la versión 6.0.1 o superior. Esto solucionará la vulnerabilidad de complejidad ineficiente de la expresión regular. Ejecute `npm install ansi-regex@latest` o `yarn upgrade ansi-regex@latest` para actualizar.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2021-3807 is a denial-of-service vulnerability in the ansi-regex package for Node.js. Attackers can trigger excessive CPU usage by providing malicious ANSI escape codes.
You are affected if you are using a version of ansi-regex prior to 6.0.1 in your Node.js project.
Upgrade to version 6.0.1 or later of the ansi-regex package. Consider input validation as a temporary mitigation.
While there are no confirmed reports of active exploitation, the availability of a PoC increases the risk of opportunistic attacks.
Refer to the ansi-regex GitHub repository for updates and advisories: https://github.com/chalk/ansi-regex
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.