CVE-2018-1109
Regular Expression Denial of Service (ReDoS) vulnerability in braces (npm)
What is CVE-2018-1109 About?
This vulnerability in Braces versions prior to 2.3.1 is a Regular Expression Denial of Service (ReDoS) attack vector. An attacker can craft specially designed input that causes the vulnerable regular expression to consume excessive processing time, leading to a denial of service. The ease of exploitation depends on the context of the regex usage in the application.
Affected Software
Technical Details
The vulnerability in Braces versions before 2.3.1 stems from a susceptible regular expression that is inefficiently constructed, containing patterns like (a+)* or (a|a)*. When malicious or specially crafted input strings are processed by this regular expression, its backtracking mechanism can enter an unoptimized state. This leads to an exponential increase in processing time relative to the input string's length, causing the application to become unresponsive or crash. This processing exhaustion results in a Denial of Service for legitimate users.
What is the Impact of CVE-2018-1109?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2018-1109?
Exploitation of this ReDoS vulnerability involves crafting specific input strings that trigger the inefficient backtracking in the vulnerable regular expression. The complexity is moderate, requiring knowledge of the specific regex pattern used and how to craft 'evil' strings. No authentication or privileged access is typically required, as ReDoS often affects publicly accessible input fields. This is usually a remote attack, depending on where the braces package processes user input. The primary special condition is the presence of the vulnerable regular expression in a code path reachable by attacker-controlled input. The likelihood of exploitation increases if the application accepts arbitrary user input (e.g., search queries, form fields) that is then processed by the braces package's regular expressions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1109?
Available Upgrade Options
- braces
- <2.3.1 → Upgrade to 2.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2018-1109
- https://bugzilla.redhat.com/show_bug.cgi?id=1547272
- https://snyk.io/vuln/npm:braces:20180219
- https://osv.dev/vulnerability/GHSA-cwfw-4gq5-mrqx
- https://bugzilla.redhat.com/show_bug.cgi?id=1547272
- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
- https://snyk.io/vuln/npm:braces:20180219
What are Similar Vulnerabilities to CVE-2018-1109?
Similar Vulnerabilities: CVE-2019-11324 , CVE-2020-28500 , CVE-2021-42340 , CVE-2022-24999 , CVE-2023-43646
