CVE-2017-16099
regular expression denial of service vulnerability in no-case (npm)
What is CVE-2017-16099 About?
Affected versions of the `no-case` package are vulnerable to a regular expression denial of service (ReDoS), leading to system unresponsiveness. This occurs when untrusted user input is passed to the package's functions, causing excessive processing. Exploitation is easy for an attacker who can supply maliciously crafted input.
Affected Software
Technical Details
The no-case package, in versions prior to 2.3.2, is susceptible to a regular expression denial of service (ReDoS) vulnerability. This flaw stems from inefficiently constructed regular expressions used internally by the package for string manipulation, such as converting text to different casing conventions (e.g., camelCase, snake_case). When specially crafted, untrusted user input that contains certain repetitive character sequences is processed by these regular expressions, it can trigger catastrophic backtracking. This causes the regular expression engine to evaluate an exponential number of possible matches, consuming excessive CPU cycles and memory. As a result, the application or service incorporating the no-case package becomes unresponsive, leading to a denial of service.
What is the Impact of CVE-2017-16099?
Successful exploitation may allow attackers to cause a denial of service, leading to service unavailability, application crashes, and resource exhaustion.
What is the Exploitability of CVE-2017-16099?
Exploiting this regular expression denial of service (ReDoS) vulnerability is of relatively low complexity. The attacker primarily needs the ability to submit untrusted user input to an application that utilizes the no-case package in an affected version. No specific authentication or privilege escalation is required. The attack is typically remote, as it involves sending a malformed input string to a web application or API endpoint. A prerequisite is that the application uses the no-case library and applies its functions to user-supplied data without sufficient validation or sanitization. The likelihood of exploitation increases in applications that process user-generated strings for formatting or comparison, as a crafted input can rapidly deplete server resources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16099?
Available Upgrade Options
- no-case
- <2.3.2 → Upgrade to 2.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/blakeembrey/no-case/issues/17
- https://www.npmjs.com/advisories/529
- https://nodesecurity.io/advisories/529
- https://github.com/blakeembrey/no-case/issues/17
- https://nvd.nist.gov/vuln/detail/CVE-2017-16099
- https://osv.dev/vulnerability/GHSA-ff6r-5jwm-8292
- https://github.com/advisories/GHSA-ff6r-5jwm-8292
What are Similar Vulnerabilities to CVE-2017-16099?
Similar Vulnerabilities: CVE-2016-10540 , CVE-2017-16116 , CVE-2018-3729 , CVE-2019-10744 , CVE-2020-28498
