7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4305

GHSA ID

GHSA-6g33-8w2q-4hxv

EPSS Score

0.1613%

CWE

CWE-1333

Published

1/5/2023

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-4305

CVE-2021-4305: robots-txt-guard Inefficient Regular Expression Complexity vulnerability

A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4305

GHSA ID

GHSA-6g33-8w2q-4hxv

EPSS Score

0.1613%

CWE

CWE-1333

Published

1/5/2023

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
robots-txt-guard	npm	< 1.0.2	1.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability report explicitly identifies makePathPattern in lib/patterns.js as the affected function. The commit diff shows the fix changed the splitting logic from .split('') to .split(/*+/), which collapses consecutive asterisks. This confirms the original implementation created inefficient regex patterns by splitting on every individual '' character, creating redundant quantifiers. The added test case with '/*****************************************************************************.js$' demonstrates the ReDoS scenario the patch addresses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Woor*nk ro*ots-txt-*u*r*. It **s ***n r*t** *s pro*l*m*ti*. *****t** *y t*is issu* is t** *un*tion m*k*P*t*P*tt*rn o* t** *il* li*/p*tt*rns.js. T** m*nipul*tion o* t** *r*um*nt p*tt*rn l***s to in***i*i*nt r**ul*r *xpr*ss

Reasoning

T** vuln*r**ility r*port *xpli*itly i**nti*i*s m*k*P*t*P*tt*rn in li*/p*tt*rns.js *s t** *****t** *un*tion. T** *ommit *i** s*ows t** *ix ***n*** t** splittin* lo*i* *rom .split('*') to .split(/\*+/), w*i** *oll*ps*s *ons**utiv* *st*risks. T*is *on*i

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-4305: robots-txt-guard Inefficient Regular Expression Complexity vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI