Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure linkifiers that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS – this was both insufficient, as well as itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should upgrade to the just-released Zulip 4.7, or main.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Zulip | Zulip | * | 4.7 (excluding) |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.