CVE-2017-18077
Regular Expression Denial of Service vulnerability in brace-expansion (npm)
What is CVE-2017-18077 About?
The `brace-expansion` package is vulnerable to a Regular Expression Denial of Service (ReDoS) condition. This allows an attacker to cause the application to consume excessive CPU resources, leading to a denial of service. Exploitation is simple, requiring specially crafted input to the package.
Affected Software
Technical Details
The vulnerability in brace-expansion is a Regular Expression Denial of Service (ReDoS). This occurs when the package's regular expression engine attempts to process a specially crafted input string with overlapping patterns or catastrophic backtracking characteristics. A proof-of-concept demonstrates this with a string like '{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, }'. The complexity of the regular expression evaluation grows exponentially or polynomially with the length of the input, causing the process to hang or consume all available CPU resources for an extended period, thus making the application unresponsive and achieving a denial of service.
What is the Impact of CVE-2017-18077?
Successful exploitation may allow attackers to cause the application to become unresponsive or crash, leading to service disruption and loss of availability.
What is the Exploitability of CVE-2017-18077?
Exploitation of this Regular Expression Denial of Service (ReDoS) vulnerability is simple. There are no specific authentication or privilege requirements; an unauthenticated user could exploit this by providing a specially crafted input string wherever the brace-expansion package processes user-supplied data. This is typically a remote attack vector if the application exposes an interface that processes such input. The only prerequisite is that the application uses a vulnerable version of brace-expansion. Risk factors that increase exploitation likelihood include applications that process arbitrary user input without sanitization or input length limits, as this makes it easy for an attacker to craft a malicious string that triggers the ReDoS condition.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-18077?
Available Upgrade Options
- brace-expansion
- <1.1.7 → Upgrade to 1.1.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/juliangruber/brace-expansion/issues/33
- https://github.com/juliangruber/brace-expansion/pull/35
- https://github.com/juliangruber/brace-expansion/issues/33
- https://nodesecurity.io/advisories/338
- https://bugs.debian.org/862712
- https://nvd.nist.gov/vuln/detail/CVE-2017-18077
- https://github.com/advisories/GHSA-832h-xg76-4gv6
- https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
- https://github.com/juliangruber/brace-expansion
- https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3
What are Similar Vulnerabilities to CVE-2017-18077?
Similar Vulnerabilities: CVE-2020-7729 , CVE-2020-7774 , CVE-2020-8174 , CVE-2021-23337 , CVE-2021-23424
