CVE-2017-20162
Inefficient Regular Expression Complexity vulnerability in ms (npm)
What is CVE-2017-20162 About?
A vulnerability categorized as problematic has been found in Vercel's `ms` package up to version 1.x. It affects the `parse` function in `index.js`, leading to inefficient regular expression complexity. This can result in a Denial of Service and can be initiated remotely, with an exploit publicly disclosed.
Affected Software
Technical Details
The vulnerability resides in the parse function within index.js of the vercel/ms package (versions up to 1.x). The flaw is characterized as an Inefficient Regular Expression Complexity (typically a ReDoS). The parse function uses a regular expression that exhibits catastrophic backtracking when processing specially crafted input strings (str argument). An attacker can supply a malicious string that causes the regular expression engine to consume excessive CPU resources and enter a state of exponential time complexity, effectively making the application unresponsive and leading to a Denial of Service. The exploit leverages the specific regex patterns and the way they are evaluated against pathological inputs.
What is the Impact of CVE-2017-20162?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, causing it to become unresponsive or crash.
What is the Exploitability of CVE-2017-20162?
Exploitation of this ReDoS vulnerability is of moderate complexity, requiring knowledge of regular expression weaknesses. It can be initiated remotely as an unauthenticated attacker can supply crafted input to any endpoint that uses the vulnerable parse function. The prerequisites involve identifying an input vector that passes through the ms.parse function. The exploit has been publicly disclosed, increasing the likelihood of successful attacks. The risk factors that increase exploitation likelihood include applications that process untrusted user input with the ms package without proper validation before passing to the parse function.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-20162?
About the Fix from Resolved Security
Available Upgrade Options
- ms
- <2.0.0 → Upgrade to 2.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/vercel/ms
- https://osv.dev/vulnerability/GHSA-w9mr-4mfr-499f
- https://vuldb.com/?ctiid.217451
- https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662
- https://vuldb.com/?id.217451
- https://github.com/vercel/ms/releases/tag/2.0.0
- https://github.com/vercel/ms/pull/89
- https://vuldb.com/?ctiid.217451
- https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662
- https://github.com/vercel/ms/pull/89
What are Similar Vulnerabilities to CVE-2017-20162?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2022-24754 , CVE-2021-36367 , CVE-2020-8178 , CVE-2019-10744
