Plataforma
javascript
Componente
html-minifier
CVE-2022-37620 describes a Regular Expression Denial of Service (ReDoS) vulnerability discovered in the html-minifier library, specifically affecting versions up to 4.0.0. This flaw arises from the reCustomIgnore regular expression, which can be exploited to trigger excessive CPU consumption. Successful exploitation can lead to denial of service, impacting applications relying on this library for HTML minification. Updating to a patched version is the recommended solution.
The ReDoS vulnerability in html-minifier allows an attacker to craft malicious HTML input that, when processed by the library, triggers an exponential increase in CPU usage. This is due to the complexity of the reCustomIgnore regular expression. An attacker could provide a specially crafted HTML string, causing the minifier to enter an infinite loop or consume an unreasonable amount of resources. The impact is primarily denial of service, rendering the application or service unavailable. The blast radius depends on the deployment context; if html-minifier is used in a critical web application, the impact could be widespread. While not directly leading to data exfiltration, prolonged DoS can disrupt legitimate user access and potentially mask other malicious activities. The vulnerability's reliance on regular expression processing makes it similar in nature to other ReDoS vulnerabilities seen in various parsing libraries.
CVE-2022-37620 was published on 2022-10-31. The vulnerability's severity is rated as HIGH (CVSS 7.5). There is no indication of this vulnerability being actively exploited in the wild, nor is it currently listed on KEV or EPSS. Public proof-of-concept (POC) code is likely to be available or easily created due to the nature of ReDoS vulnerabilities and the well-understood principles of regular expression exploitation. Refer to the NVD entry for further details: [https://nvd.nist.gov/vuln/detail/CVE-2022-37620](https://nvd.nist.gov/vuln/detail/CVE-2022-37620).
Status do Exploit
EPSS
0.48% (percentil 65%)
Vetor CVSS
The primary mitigation for CVE-2022-37620 is to upgrade to a patched version of html-minifier that addresses the ReDoS flaw. Check the library's release notes for the latest version. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing input validation to sanitize HTML input before passing it to the html-minifier. This could involve limiting the complexity of HTML structures or filtering out potentially problematic elements. As a temporary workaround, consider disabling the reCustomIgnore feature if it's not essential for your application. Monitor CPU usage on systems running html-minifier to detect potential ReDoS attacks. After upgrading, confirm the fix by testing with known malicious HTML payloads designed to trigger ReDoS conditions.
Actualice a una versión corregida de html-minifier que solucione la vulnerabilidad ReDoS en la expresión regular reCustomIgnore. Consulte el repositorio del proyecto para obtener más información sobre las versiones corregidas.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
It's a Regular Expression Denial of Service (ReDoS) vulnerability in the html-minifier library, allowing attackers to cause excessive CPU usage and disrupt service.
You are affected if you are using html-minifier versions 4.0.0 or earlier. Check your project dependencies to determine if you are using this library.
Upgrade to a patched version of html-minifier. If upgrading isn't possible immediately, implement input validation or disable the reCustomIgnore feature as a temporary workaround.
There is currently no public evidence of active exploitation, but the vulnerability is considered HIGH severity and POC code is likely to exist.
Refer to the National Vulnerability Database (NVD) entry for CVE-2022-37620: [https://nvd.nist.gov/vuln/detail/CVE-2022-37620](https://nvd.nist.gov/vuln/detail/CVE-2022-37620)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.