gctools icon indicating copy to clipboard operation
gctools copied to clipboard

Published 20 hours ago verified publisher icon TryGhost

Fix Regular Expression Denial of Service (ReDoS) vulnerability in ansi-regex

Open camgrimsec opened this issue 10 months ago • 0 comments

Description:

Introduction: This PR addresses a vulnerability in the ansi-regex package, specifically related to Regular Expression Denial of Service (ReDoS). This vulnerability is identified with a CVSS score of 7.5 (High Severity) by both Snyk and NVD.

Details: The vulnerability is introduced through [email protected] and @tryghost/[email protected], and it affects versions of ansi-regex prior to 3.0.1, 4.1.1, 5.0.1, and 6.0.1.

Exploit Maturity: The exploit maturity is identified as Proof of Concept.

Detailed Paths:

Introduced through: [email protected][email protected][email protected][email protected][email protected][email protected]
Introduced through: [email protected][email protected][email protected][email protected][email protected][email protected]
Introduced through: [email protected] › @tryghost/[email protected][email protected][email protected][email protected][email protected][email protected]

Security Information:

Snyk: CVSS 7.5 - High Severity
NVD: CVSS 7.5 - High Severity

Overview: Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns [[](https://chat.openai.com/c/e03b0e4e-6db3-46c2-b9ad-58bf6bc367c0)#;?]* and (?:;[-a-zA-Z\d/#&.:=?%@~_]).

Vulnerability Description: Regular Expression Denial of Service (ReDoS) is a type of Denial of Service attack. Affected versions of this package allow an attacker to perform ReDoS attacks by exploiting certain sub-patterns in regular expressions, causing excessive backtracking and potentially leading to a denial of service condition.

Remediation: Upgrade to version 3.0.1, 4.1.1, 5.0.1, or 6.0.1 of ansi-regex to fix this vulnerability. Unfortunately, there is no remediation path available for previous versions.

Proposed Changes: Update the dependency on ansi-regex to version 3.0.1, 4.1.1, 5.0.1, or 6.0.1 in the package.json file.

Testing: After updating the dependency, ensure that all existing functionality continues to work as expected. Perform thorough testing to verify that the vulnerability has been mitigated.

Additional Notes: Ensure that the updated version of ansi-regex is compatible with other dependencies and does not introduce any new issues.

camgrimsec avatar Mar 30 '24 09:03 camgrimsec