CVE-2021-4306: terminal-kit Inefficient Regular Expression Complexity vulnerability
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.1613%
CWE
Published
1/7/2023
Updated
1/28/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
terminal-kit | npm | < 2.1.8 | 2.1.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit diff shows the regex in misc.markupWidth
was modified to prevent ReDoS. The original regex pattern had inefficient complexity due to an unrestricted quantifier in the character class [^]]*. This matches the CWE-1333 description and the vulnerability's focus on regex inefficiency. The patch explicitly targets this function's regex, and the GHSA advisory confirms the exploit involved strings like '^['.repeat(bigNumber).