CVE-2017-20165
Inefficient Regular Expression Complexity vulnerability in debug (npm)
What is CVE-2017-20165 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the `debug-js` library's `useColors` function. It arises from inefficient regular expression complexity, leading to excessive CPU consumption when processing specially crafted input. Exploitation is triggered by manipulating the 'str' argument.
Affected Software
- debug
- <2.6.9
- >3.0.0, <3.1.0
Technical Details
The vulnerability exists in the useColors function within the src/node.js file of the debug-js library. Specifically, an inefficient regular expression is used to process the str argument. When a specially crafted string is passed as str, the regular expression engine enters a catastrophic backtracking state. This causes the regex matching operation to consume an exponential amount of CPU resources, leading to high CPU utilization and potentially making the application unresponsive or causing a Denial of Service.
What is the Impact of CVE-2017-20165?
Successful exploitation may allow attackers to cause excessive CPU consumption, making the application unresponsive, and leading to a denial of service for users.
What is the Exploitability of CVE-2017-20165?
Exploitation involves providing a specially crafted string to the useColors function, which triggers the inefficient regular expression. The complexity is low to moderate, requiring knowledge of ReDoS attack patterns. No authentication is required, as the vulnerability affects the processing of input. This is typically a remote exploitation scenario if user-supplied input is processed by this function, but could be local if an attacker can inject malicious string data. The primary risk factor is the acceptance of untrusted input that is then processed by the vulnerable regular expression.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| fastify | Link | Fork of the send module to deal with CVE-2017-20165 |
What are the Available Fixes for CVE-2017-20165?
About the Fix from Resolved Security
The patch replaces the potentially vulnerable regular expression .replace(/\s*\n\s*/g, ' ') with a safer approach that splits the string by newlines, trims each resulting substring, and then joins them with spaces. This change fixes CVE-2017-20165 by preventing a regular expression denial of service (ReDoS) vulnerability that could be triggered by attacker-controlled input containing excessive whitespace and newlines, significantly improving performance and preventing possible application hangs.
Available Upgrade Options
- debug
- <2.6.9 → Upgrade to 2.6.9
- debug
- >3.0.0, <3.1.0 → Upgrade to 3.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://vuldb.com/?ctiid.217665
- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685
- https://github.com/debug-js/debug/releases/tag/3.1.0
- https://github.com/debug-js/debug/pull/504
- https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685
- https://github.com/debug-js/debug/releases/tag/3.1.0
- https://nvd.nist.gov/vuln/detail/CVE-2017-20165
- https://github.com/debug-js/debug/releases/tag/2.6.9
- https://osv.dev/vulnerability/GHSA-9vvw-cc9w-f27h
- https://vuldb.com/?ctiid.217665
What are Similar Vulnerabilities to CVE-2017-20165?
Similar Vulnerabilities: CVE-2016-10537 , CVE-2017-16138 , CVE-2018-1107 , CVE-2018-16461 , CVE-2019-8331
