CVE-2019-17592
Regular Expression Denial of Service vulnerability in csv-parse (npm)
What is CVE-2019-17592 About?
This vulnerability in 'csv-parse' versions prior to 4.4.6 is a Regular Expression Denial of Service (ReDoS). The '__isInt()' function contains a malformed regular expression that processes large, specially crafted input very slowly, leading to a denial of service. The impact is a resource exhaustion attack, and it is relatively easy to exploit by providing a specific input when the 'cast' option is used.
Affected Software
Technical Details
Versions of the csv-parse package prior to 4.4.6 are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The vulnerability resides within the __isInt() function, which is used when the cast option is enabled to determine if a value should be cast to an integer. This function contains a malformed regular expression that exhibits 'catastrophic backtracking' when processing specific, specially crafted input strings. An attacker can provide a long string that forces the regular expression engine to explore an exponentially increasing number of paths, consuming excessive CPU resources. This prolonged computation time for a single input string causes the application to become unresponsive, effectively leading to a denial of service for any process or service attempting to parse such malicious CSV data with the cast option enabled.
What is the Impact of CVE-2019-17592?
Successful exploitation may allow attackers to exhaust system resources, leading to a denial of service condition for applications processing specially crafted CSV input.
What is the Exploitability of CVE-2019-17592?
Exploitation of this ReDoS vulnerability is of low to moderate complexity. The primary prerequisite is that the application uses csv-parse and enables the cast option. No authentication or special privileges are required to trigger the vulnerability, as it depends solely on the content of the input data. This is typically a remote exploit scenario where an attacker supplies specially crafted CSV data to an endpoint that processes it using the vulnerable csv-parse configuration. The risk of exploitation is increased if the application accepts untrusted user-supplied CSV files or data streams and performs casting on them. The attacker needs to craft a string that maximizes backtracking in the __isInt()'s regex, which can be done without deep technical knowledge of the library's internals but requires understanding of regex performance characteristics.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-17592?
Available Upgrade Options
- csv-parse
- <4.4.6 → Upgrade to 4.4.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/adaltas/node-csv-parse
- https://github.com/adaltas/node-csv-parse/commit/b9d35940c6815cdf1dfd6b21857a1f6d0fd51e4a
- https://nvd.nist.gov/vuln/detail/CVE-2019-17592
- https://osv.dev/vulnerability/GHSA-582f-p4pg-xc74
- https://github.com/adaltas/node-csv-parse/commit/b9d35940c6815cdf1dfd6b21857a1f6d0fd51e4a
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://security.netapp.com/advisory/ntap-20191127-0002/
- https://security.netapp.com/advisory/ntap-20191127-0002
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP
- https://www.npmjs.com/advisories/1171
What are Similar Vulnerabilities to CVE-2019-17592?
Similar Vulnerabilities: CVE-2020-28498 , CVE-2020-7699 , CVE-2019-10757 , CVE-2020-28469 , CVE-2020-15383
