CVE-2015-8315
Denial of Service (DoS) vulnerability in ms (npm)
What is CVE-2015-8315 About?
This Regular Expression Denial of Service (ReDoS) vulnerability affects versions of the `ms` library prior to 0.7.1, where parsing extremely long version strings can lead to excessive computation. Exploiting this vulnerability results in service unavailability or unresponsiveness. It is relatively easy to exploit with a specially crafted input string.
Affected Software
Technical Details
The vulnerability resides in the ms npm package (versions prior to 0.7.1) and is a Regular Expression Denial of Service (ReDoS). When the library attempts to parse an extremely long and specifically crafted input string that resembles a duration (e.g., '555...555 minutea'), the regular expression engine used internally experiences catastrophic backtracking. This causes the parsing operation's execution time to grow exponentially with the length of the input string. The attacker provides a long string that matches a portion of the regex in many ways, but ultimately fails to match the entire regex. The engine then backtracks through all possible partial matches, leading to a significant and prolonged consumption of CPU resources, effectively blocking the event loop and rendering the application unresponsive, thus causing a denial of service.
What is the Impact of CVE-2015-8315?
Successful exploitation may allow attackers to cause a denial-of-service, resulting in severe degradation of application performance or complete unresponsiveness.
What is the Exploitability of CVE-2015-8315?
Exploitation of this Regular Expression Denial of Service (ReDoS) vulnerability is low to medium complexity, requiring only the ability to supply a long, specially crafted input string to the ms library. Remote access is possible if the ms library is used to parse user-controlled input, such as request parameters or body content, in a networked application. No authentication or elevated privileges are required, making it a potentially unauthenticated attack vector. The primary special condition is sending a string that triggers catastrophic backtracking in the library's regular expressions. The risk factors that increase exploitation likelihood include any public-facing endpoint that uses the affected ms library to parse user-supplied string data without length or format validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-8315?
Available Upgrade Options
- ms
- <0.7.1 → Upgrade to 0.7.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://support.f5.com/csp/article/K46337613?utm_source=f5support&%3Butm_medium=RSS
- http://www.securityfocus.com/bid/96389
- https://nodesecurity.io/advisories/46
- https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389
- https://nvd.nist.gov/vuln/detail/CVE-2015-8315
- https://support.f5.com/csp/article/K46337613?utm_source=f5support&%3Butm_medium=RSS
- http://www.securityfocus.com/bid/96389
- https://nodesecurity.io/advisories/46
- https://github.com/unshiftio/millisecond
What are Similar Vulnerabilities to CVE-2015-8315?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2021-23337 , CVE-2022-24707 , CVE-2023-28155 , CVE-2018-3729
