Miggo Logo

CVE-2021-43307: Regular expression denial of service in semver-regex

N/A

CVSS Score

Basic Information

EPSS Score
0.86203%
Published
6/3/2022
Updated
7/19/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
semver-regexnpm< 3.1.43.1.4
semver-regexnpm>= 4.0.0, < 4.0.34.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the regex pattern returned by semverRegex() in index.js. The commit diff shows critical additions of lazy quantifiers (? modifiers) to {0,100} ranges and other groups, which directly addresses catastrophic backtracking. The added test case in test.js specifically measures execution time when testing ReDoS-prone patterns like '0.0.1-...', confirming the regex's test() method was vulnerable. Since semverRegex() is the sole function generating the regex pattern, and the patch exclusively modifies this function's output, it is conclusively identified as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xpon*nti*l R**oS (R**ul*r *xpr*ssion **ni*l o* S*rvi**) **n ** tri***r** in t** s*mv*r-r***x npm p**k***, w**n *n *tt**k*r is **l* to supply *r*itr*ry input to t** t*st() m*t*o*

Reasoning

T** vuln*r**ility st*ms *rom t** r***x p*tt*rn r*turn** *y s*mv*rR***x() in in**x.js. T** *ommit *i** s*ows *riti**l ***itions o* l*zy qu*nti*i*rs (? mo*i*i*rs) to {*,***} r*n**s *n* ot**r *roups, w*i** *ir**tly ***r*ss*s **t*strop*i* ***ktr**kin*. T