Exploit causes popular regex library to grind to a halt

UPDATE (Aug 19; 07:32 UTC) In lieu of a patch, the researcher who discovered the vulnerability has released a new package, url-regex-safe, that resolves this issue. More information on available via GitHub.

Node.js applications using the popular url-regex library are potentially vulnerable to Regular Expression Denial of Service (ReDoS) attacks, a GitHub advisory warns.

The bug, initially discovered and filed by software engineer Nick Baugh, affects all versions of url-regex and has not yet been patched.

The url-regex package is downloaded approximately three million times per month.

Applications use regular expression libraries to search and parse input strings based on relevant patterns.

A malicious actor can exploit this feature by sending a carefully crafted string that causes an extreme situation in which the url-regex library slows down to a crawl and halts the application server, thus causing a ReDoS attack.

A dangerous but rare bug

The ReDoS vulnerability in url-regex kicks in when the attacker provides a very long and invalid string to the expression parser, according to a proof-of-concept Baugh provided to Snyk.io’s vulnerability database.

An attacker can exploit this vulnerability to “cause the service to excessively consume CPU, resulting in a denial of service,” Baugh wrote.

The researcher discovered the bug while working on Spam Scanner, a library he maintains.

RELATED Blind regex injection: Theoretical exploit offers new means of forcing web apps to spill secrets

In written comments to The Daily Swig, Baugh said: “I was tokenizing emails for training our anti-spam classifier, and it would cause the CPU to hit 100%.

“I have a dataset of hundreds of GBs of spam I’ve accumulated for research, and after getting halfway through it (which takes hours) it froze the process.”

The NIST National Vulnerability Database has scored the risk score of the vulnerability as “7.5, or higher.” However, Baugh confirms that the ReDoS bug is an edge case.

“Not many people use this in a way that can be exploited by others, as far I know, so it’s not a huge security risk,” he said.

“But for anyone parsing out URLs in things like form submissions with this, then it’s definitely a risk. I think it hasn’t been discovered earlier because people weren’t using it like I was.”

Eerie silence leads to exodus

The maintainers of url-regex have not yet responded to queries by security researchers.

An advisory by Snyk’s Security Team, posted on the bug’s GitHub issue on June 2 reads:

We have verified this vulnerability and reached out to try and discuss this issue further with the maintainers several times. As of now we have yet to get a response, and due to this vulnerability already being exposed publicly, we feel the responsible thing to do is to move to official disclosure.

Neither has the bug been patched yet.

The outstanding vulnerability has prompted some developers to swap url-regex for other regular expression libraries. Baugh proposed using node-re2, a regex library that does not suffer from the same vuln.

The url-regex library was removed from the Wix website-building platform on Monday and replaced with is-url-superb.

“url-regex has a security vulnerability.is-url-superb uses native URL api to verify text is a valid url. much cleaner,” reads a security commit posted on Wix’s GitHub repository.

The maintainers of the postcss-values-parser library also removed url-regex from their dependency tree on Monday, declaring: “There is an open vulnerability in url-regex (kevva/url-regex#70) and no patch available.”

READ MORE Drupal plugs duo of critical security flaws in open source CMS