cal.com icon indicating copy to clipboard operation
cal.com copied to clipboard
verified publisher icon calcom

🚧Redos vulnerability in Wordwrap

Open raghunandhanvr opened this issue 2 years ago • 1 comments

Dear cal.com team,

I am writing to inform you of a vulnerability in the Wordwrap package (version 1.0.0) that is used by your website/service. This vulnerability can be exploited through a regular expression Denial of Service (ReDoS) attack, which can cause the package to enter an infinite loop, leading to a denial of service on the affected system.

The vulnerability affects all versions of the Wordwrap package up to and including version 1.0.0, and unfortunately, there is currently no known fix for the issue. I have included a proof-of-concept code snippet below that demonstrates the vulnerability in action:

for (let i = 0; i <= 10; i++) {
  const attack = "a" + "t".repeat(i * 10_00000);
  const start = performance.now();
  wrap( attack, { trim: true }, );
  console.log(`${attack.length} characters: ${performance.now() - start}ms`);
}

As you can see, this code snippet can cause the Wordwrap package to enter an infinite loop when provided with a specially crafted input string, resulting in a significant delay in processing time and potentially leading to a denial of service.

I urge you to take immediate action to address this vulnerability by either updating to a patched version of the Wordwrap package (if and when one becomes available), or by finding an alternative package that is not vulnerable to this issue.

Thank you for your attention to this matter. Please let me know if you require any additional information or assistance in addressing this vulnerability with respect to cal platform.

Reference: https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973

raghunandhanvr avatar May 04 '23 05:05 raghunandhanvr

@raghunandhanvr I didn't find any code usage with this dependency, let me know if you found one. Thanks

pranjalg13 avatar May 09 '23 15:05 pranjalg13

@raghunandhanvr how would this be fixed?

PeerRich avatar May 14 '23 21:05 PeerRich

Thank you @raghunandhanvr - we're keeping an eye out on https://github.com/jonschlinkert/word-wrap/issues/32 - our internal assessment is: Because this code is used only by eslint and this being a dev only package, there is no public facing code that will be affected by this vulnerability. Also as indicated by the optionator package - this vulnerability does not affect their code.

Therefore, no mitigation is needed as we are not affected by this vulnerability.

Also including the eslint assesment @ https://github.com/eslint/eslint/issues/17117#issuecomment-1521564262 for completeness.

This is a problem in a transitive dependency so it doesn't seem like there's anything we can do at this point. Also, according to https://github.com/gkz/optionator/issues/44#issuecomment-1518171047 this isn't a possible problem for eslint users because the dependency in question is only used with predefined option descriptions, not with user input.

Given the above, I'm closing this issue. If and when the problem is fixed in the dependencies, we could update eslint's package.json if that would help remove the warning.

emrysal avatar May 14 '23 21:05 emrysal