fireblocks-sdk-js icon indicating copy to clipboard operation
fireblocks-sdk-js copied to clipboard
verified publisher icon fireblocks

Fix semver vulnerable to Regular Expression Denial of Service

Open imhunterand opened this issue 2 years ago • 0 comments

fireblocks-sdk-js used semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

PoC:

const semver = require('semver') const lengths_2 = [2000, 4000, 8000, 16000, 32000, 64000, 128000] console.log("n[+] Valid range - Test payloads") for (let i = 0; i =1.2.3' + ' '.repeat(lengths_2[i]) + '<1.3.0'; const start = Date.now() semver.validRange(value) // semver.minVersion(value) // semver.maxSatisfying(["1.2.3"], value) // semver.minSatisfying(["1.2.3"], value) // new semver.Range(value, {}) const end = Date.now(); console.log('length=%d, time=%d ms', value.length, end - start); }

Details: Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

Impact: CVE-2022-25883 CWE-1333 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Pull Request Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes (link to the issue here)

Type of change

Please delete options that are not relevant.

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Chore / Documentation
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

  • [x] Locally tested against Fireblocks API

Checklist:

  • [x] I have performed a self-review of my own code
  • [x] I have made corresponding changes to the documentation
  • [x] Any dependent changes have been merged and published in downstream modules
  • [x] I have added corresponding labels to the PR

imhunterand avatar Aug 23 '23 05:08 imhunterand