Miggo Logo

CVE-2021-29059: ReDOS in IS-SVG

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.85532%
Published
12/10/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
is-svgnpm>= 2.1.0, < 4.3.04.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from three key elements:

  1. cleanEntities' entityRegex contained multiple unbounded quantifiers (\s*, \S*) that could be exploited with long whitespace/entity declarations
  2. removeDtdMarkupDeclarations' regex used nested quantifiers ([A-Z]+ and [^>]*) vulnerable to polynomial backtracking
  3. The main validation regex combined these patterns with other complex constructs. The commit patched this by replacing regex-based validation with a proper XML parser, confirming these functions were the attack surface. PoC examples specifically demonstrate exploitation of these regex patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *is*ov*r** in IS-SV* v*rsion *.*.* *n* **low w**r* * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**OS) o**urs i* t** *ppli**tion is provi*** *n* ****ks * *r**t** inv*li* SV* strin*.

Reasoning

T** vuln*r**ility st*mm** *rom t*r** k*y *l*m*nts: *. *l**n*ntiti*s' *ntityR***x *ont*in** multipl* un*oun*** qu*nti*i*rs (\s*, \S*) t**t *oul* ** *xploit** wit* lon* w*it*sp***/*ntity ***l*r*tions *. r*mov**t*M*rkup***l*r*tions' r***x us** n*st** qu