CVE-2022-37620/ ReDoS found in htmlminifier.js

[secdevlpr26]

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js. The ReDoS vulnerability can be mitigated with several best practices described here: [https://snyk.io/blog/redos-and-catastrophic-backtracking/]

[michaeljauk]

Is anyone willing to work on this?

[blv-raulcatalan]

Any update on this?

[rquadling]

One of the lines referred to be the CVE has the following regex \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+)?x)$

Would changing it to \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+|)x)$ be enough?

\s+([1-9][0-9]*w|[0-9]+(?=(\.[0-9]+|))\2x)$ is another way that should stop the backtracking (based this upon https://snyk.io/blog/redos-and-catastrophic-backtracking/.

[timbomckay]

I stumbled upon a fork of this maintained by terser: https://www.npmjs.com/package/html-minifier-terser

Probably the way to go.

[littleblack111]

any updates?

[timbomckay]

any updates?

@littleblack111 as mentioned above, along with the slew of references to others switching, html-minifier-terser is probably the best solution. Aside from some repo adjustments this solution appears to be fairly abandoned, especially since the package hasn't been updated in 5 years, while html-minified-terser is maintained by Terser.

[rquadling]

Now I've just got to remember what project I'm involved in that has this one as an issue!

[Hessah95]

any update on this issue?

[timbomckay]

any update on this issue?

@Hessah95 The comments in this thread point to another solution that's maintained.