Miggo Logo
Miggo Vulnerability Database
CVE-2021-3804

CVE-2021-3804: Inefficient Regular Expression Complexity in taro

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2021-3804
GHSA ID
GHSA-468q-v4jj-485h
EPSS Score
0.48034%
CWE
CWE-1333
Published
9/20/2021
Updated
3/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
@tarojs/helpernpm< 3.3.93.3.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the REG_URL regular expression constant in constants.ts, as shown in the commit diff. The patch specifically modifies this regex to address ReDoS concerns by tightening the pattern for domain name validation (e.g., adding length constraints and removing ambiguous character ranges). Since this regex is used for URL validation, its inefficient patterns directly enabled the ReDoS vulnerability. The high confidence comes from the direct correlation between the CWE description, the commit message explicitly mentioning URL validation fixes, and the regex being the only modified code element in the security patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

t*ro is vuln*r**l* to In***i*i*nt R**ul*r *xpr*ssion *ompl*xity

Reasoning

T** vuln*r**ility st*ms *rom t** `R**_URL` r**ul*r *xpr*ssion *onst*nt in `*onst*nts.ts`, *s s*own in t** *ommit *i**. T** p*t** sp**i*i**lly mo*i*i*s t*is r***x to ***r*ss R**oS *on**rns *y ti**t*nin* t** p*tt*rn *or *om*in n*m* v*li**tion (*.*., **