CVE-2017-16115
regular expression denial of service vulnerability in timespan (npm)
What is CVE-2017-16115 About?
This vulnerability in affected versions of `timespan` is a regular expression denial of service (ReDoS), triggered when parsing specially crafted dates. It can lead to the event loop being blocked for significant durations, resulting in a denial of service. Exploitation is relatively easy, requiring only a malicious input string.
Affected Software
Technical Details
The regular expression denial of service (ReDoS) vulnerability in timespan arises when the library attempts to parse specially crafted date strings using an inefficiently designed regular expression. Malformed input containing certain repeating patterns can cause the regex engine to backtrack excessively, leading to exponential time complexity in matching the string. This 'catastrophic backtracking' consumes significant CPU resources and blocks the Node.js event loop for an extended period, preventing the application from processing other requests. For instance, a 50,000-character malicious input can block the event loop for approximately 10 seconds, severely impacting application availability.
What is the Impact of CVE-2017-16115?
Successful exploitation may allow attackers to render the application unresponsive, slowing down or completely stopping service, resulting in a denial of service (DoS) and impacting system availability.
What is the Exploitability of CVE-2017-16115?
Exploitation of this vulnerability is low in complexity and typically does not require any authentication or special privileges. It is a remote vulnerability, as an attacker only needs to submit a specially crafted string to any application endpoint that uses the vulnerable timespan library for date parsing. There are no specific prerequisites beyond the application utilizing a vulnerable version and accepting user input that can be passed to the timespan parsing function. The primary constraint is identifying an input field that feeds into timespan. The risk of exploitation is high, especially if user-supplied data, such as query parameters or form submissions, is directly used in date parsing operations without prior validation or length limitation. Limiting input length to a small number of characters (e.g., 150) significantly mitigates the risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16115?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2017-16115
- https://github.com/indexzero/TimeSpan.js/issues/10
- https://github.com/indexzero/TimeSpan.js/issues/10
- https://www.npmjs.com/advisories/533
- https://github.com/advisories/GHSA-f523-2f5j-gfcg
- https://osv.dev/vulnerability/GHSA-f523-2f5j-gfcg
- https://nodesecurity.io/advisories/533
What are Similar Vulnerabilities to CVE-2017-16115?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-28156 , CVE-2023-28157 , CVE-2023-28158 , CVE-2023-26136
