Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2017-16021

Inefficient Regular Expression Complexity

Published: Jun 04, 2018 | Modified: Feb 15, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:L/Au:S/C:N/I:N/A:C
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2017-16021
CWEhttps://cwe.mitre.org/data/definitions/1333.html

uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if youre vulnerable, look for a call to require(uri-js).parse() where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.

Weakness

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Affected Software

Name Vendor Start Version End Version
Uri-js Garycourt * 2.1.1 (including)

Extended Description

      Attackers can create crafted inputs that
      intentionally cause the regular expression to use
      excessive backtracking in a way that causes the CPU
      consumption to spike.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use