CVE-2017-16116
regular expression denial of service vulnerability in string (npm)
What is CVE-2017-16116 About?
Affected versions of the `string` package are vulnerable to regular expression denial of service (ReDoS) when processing specially crafted untrusted user input with the `underscore` or `unescapeHTML` methods. This vulnerability can lead to service unavailability due to excessive CPU consumption. Exploitation is relatively easy for an attacker who can supply sophisticated input.
Affected Software
Technical Details
The string package, in versions affected by CVE-2017-16116, contains a regular expression denial of service (ReDoS) vulnerability. Specifically, the regular expressions used within the underscore and unescapeHTML methods exhibit catastrophic backtracking behavior. If untrusted user input is passed to these methods, an attacker can craft a malicious string that forces the regular expression engine to evaluate an extremely large number of paths. This exponential increase in processing time leads to severe CPU exhaustion, causing the application to become unresponsive or crash, effectively resulting in a denial of service. The complexity of constructing such a string depends on the specific regex pattern but can be engineered to trigger the vulnerability efficiently.
What is the Impact of CVE-2017-16116?
Successful exploitation may allow attackers to cause a denial of service, leading to service unavailability, unresponsiveness, and excessive resource consumption.
What is the Exploitability of CVE-2017-16116?
Exploitation of this regular expression denial of service (ReDoS) vulnerability is of moderate complexity, primarily requiring the ability to supply untrusted user input to the underscore or unescapeHTML methods of the string package. There are no authentication or privilege requirements to trigger this vulnerability. The attack is typically remote, as it involves sending a specially crafted input string to a service that uses the vulnerable methods. The main prerequisite is that the application uses the affected library and processes external input with these specific methods. The likelihood of exploitation is high in web applications or APIs that accept user-generated content and apply string manipulation or HTML unescaping without proper input validation, as a well-crafted payload can easily render the service unresponsive.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16116?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jprichardson/string.js/issues/212
- https://github.com/advisories/GHSA-g36h-6r4f-3mqp
- https://osv.dev/vulnerability/GHSA-g36h-6r4f-3mqp
- https://github.com/jprichardson/string.js/issues/212
- https://nvd.nist.gov/vuln/detail/CVE-2017-16116
- https://www.npmjs.com/advisories/536
- https://nodesecurity.io/advisories/536
What are Similar Vulnerabilities to CVE-2017-16116?
Similar Vulnerabilities: CVE-2016-10540 , CVE-2017-16099 , CVE-2017-16100 , CVE-2018-3729 , CVE-2019-10744
