Home

Awesome

Reported ReDoS Vulnerabilities

Below there is a list of ReDoS vulnerabilities reported as part of the research paper Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers:

Vulnerable moduleBug ReportResponseAdvisory
debugIssue 501FIXED534
lodashIssue 3359"limiting the size is fine"N/A
mimeIssue 167FIXED535
ajvIssue 557"it needs to be better investigated"N/A
tough-cookieIssue 92FIXED525
freshIssue 24FIXED526
momentIssue 4163FIXED532
forwardedIssue 3FIXED527
underscore.stringIssue 510N/AN/A
parsejsonIssue 4FIXED528
no-caseIssue 17FIXED529
markedIssue 937FIXED531
content-type-parserIssue 3"a pull request is welcome" and "there are much worse attacks than a six second slowdown"N/A
platformIssue 139"I'll accept a PR for this" and "using any utils withinputs of arbitrary length runs a performance risk"N/A
timespanIssue 10N/A533
stringIssue 212N/A536
contentIssue 14N/A537
slugIssue 82FIXED530
htmlparserIssue 79N/AN/A
charsetIssue 10FIXED524
mobile-detectIssue 67"I limited the length of User-Agent to max 500 characters"N/A
ismobilejsIssue 66N/AN/A
dns-syncIssue 5N/AN/A

Running the Exploits Set

The current folder contains a set of exploits for the identified vulnerabilities. To run the exploits on your local machine perform the following steps:

  1. checkout the current repository
  2. install the vulnerable package by running npm install in the checked out folder
  3. run the benchmarks by executing the following command node ./run-all.js

The exploits are harmless to run locally since they do not perform any malicious actions other than exploiting the slowdown in the regular expression matching. For each benchmark, we print an execution time that shows how long a specific exploit takes.