yarn icon indicating copy to clipboard operation
yarn copied to clipboard
verified publisher icon yarnpkg

Normalize manifest re dos

Open mmmsssttt404 opened this issue 4 months ago • 1 comments

Steps to reproduce Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

https://github.com/yarnpkg/yarn/blob/7cafa512a777048ce0b666080a24e80aae3d66a9/src/util/normalize-manifest/util.js#L57 https://github.com/yarnpkg/yarn/blob/7cafa512a777048ce0b666080a24e80aae3d66a9/src/util/normalize-manifest/util.js#L62

1.git clone https://github.com/mmmsssttt404/yarn.git
2.yarn install
3.yarn test __tests__/normalize-manifest.js

use time: {D82AA19C-D8D5-4405-9B06-239B37822BB1} ae76991131436e026e31d6da3b7bef6

Proposed Solution: Change the regular expression to https://github.com/mmmsssttt404/yarn/blob/b0daafb372d6eaee89495c063f7f2631ded7dc62/src/util/normalize-manifest/util.js#L57-L65

{C3527344-9E82-4AE1-AED4-4ADE0D88D409} {DC06D6FC-06B7-4100-861E-382B0AA70E41}

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

mmmsssttt404 avatar Aug 13 '25 03:08 mmmsssttt404

Benchmarks show clear quadratic growth with input size, not linear. Even at ~100k chars, runtime reaches several seconds. ReDoS does not require exponential blowup — Polynomial behavior is already recognized as exploitable redos_result (10) redos_result (11)

mmmsssttt404 avatar Aug 23 '25 07:08 mmmsssttt404