[nitrado.js] Polynomial regular expression used on uncontrolled data in nitrado.js

Impact

Possible ReDoS with lib input of {{ and with many repetitions of {{|

Patches

Patched in all versions above 0.2.5

Workarounds

No known work arounds.

References

• OWASP: Regular expression Denial of Service – ReDoS
• Wikipedia: ReDoS.
• Wikipedia: Time complexity.
• James Kirrage, Asiri Rathnayake, Hayo Thielecke: Static Analysis for Regular Expression Denial-of-Service Attack.
• Common Weakness Enumeration: CWE-1333.
• Common Weakness Enumeration: CWE-400.

References

• https://github.com/cainthebest/nitrado.js/security/advisories/GHSA-vqc4-v8hc-h2jg
• https://nvd.nist.gov/vuln/detail/CVE-2022-36034
• https://github.com/cainthebest/nitrado.js/blob/v0.2.5/CHANGELOG.md
• https://github.com/advisories/GHSA-vqc4-v8hc-h2jg