Miggo Logo

CVE-2021-4305: robots-txt-guard Inefficient Regular Expression Complexity vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.1613%
Published
1/5/2023
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
robots-txt-guardnpm< 1.0.21.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability report explicitly identifies makePathPattern in lib/patterns.js as the affected function. The commit diff shows the fix changed the splitting logic from .split('') to .split(/*+/), which collapses consecutive asterisks. This confirms the original implementation created inefficient regex patterns by splitting on every individual '' character, creating redundant quantifiers. The added test case with '/*****************************************************************************.js$' demonstrates the ReDoS scenario the patch addresses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Woor*nk ro*ots-txt-*u*r*. It **s ***n r*t** *s pro*l*m*ti*. *****t** *y t*is issu* is t** *un*tion m*k*P*t*P*tt*rn o* t** *il* li*/p*tt*rns.js. T** m*nipul*tion o* t** *r*um*nt p*tt*rn l***s to in***i*i*nt r**ul*r *xpr*ss

Reasoning

T** vuln*r**ility r*port *xpli*itly i**nti*i*s m*k*P*t*P*tt*rn in li*/p*tt*rns.js *s t** *****t** *un*tion. T** *ommit *i** s*ows t** *ix ***n*** t** splittin* lo*i* *rom .split('*') to .split(/\*+/), w*i** *oll*ps*s *ons**utiv* *st*risks. T*is *on*i