CVE-2020-26256
ReDoS (Regular Expression Denial of Service) vulnerability in fast-csv (npm)
What is CVE-2020-26256 About?
This vulnerability is a ReDoS (Regular Expression Denial of Service) in the `fast-csv` package, specifically when using the `ignoreEmpty` option during parsing. A specially crafted input can cause the regular expression to consume excessive processing time, leading to a denial of service, and is relatively easy to trigger.
Affected Software
- fast-csv
- <4.3.6
- @fast-csv/parse
- <4.3.6
Technical Details
The fast-csv package is vulnerable to a Regular Expression Denial of Service (ReDoS) attack when its ignoreEmpty option is enabled during parsing. The vulnerability lies within the EMPTY_ROW_REGEXP regular expression used to identify and ignore empty rows. This regular expression is susceptible to catastrophic backtracking when faced with specific, malformed input patterns. An attacker can craft a CSV file or stream with specially structured, non-empty but malformed 'empty' rows. When the fast-csv parser, with ignoreEmpty active, attempts to process this input, the EMPTY_ROW_REGEXP will consume an exponential amount of CPU time. This leads to a severe degradation of performance or complete unresponsiveness of the application, effectively causing a denial of service.
What is the Impact of CVE-2020-26256?
Successful exploitation may allow attackers to cause a denial of service, making the affected application or service unresponsive by consuming excessive CPU resources.
What is the Exploitability of CVE-2020-26256?
Exploitation of this ReDoS vulnerability is of low complexity. An attacker needs to provide a specially crafted input to fast-csv while its ignoreEmpty option is enabled. No authentication is typically required if the application processes untrusted CSV files or streams from external sources. This is a remote attack vector. There are no special privilege requirements, as the attack targets the application's regular expression engine. The primary prerequisite is the use of an affected version of fast-csv with the ignoreEmpty option activated. The likelihood of exploitation is high in applications that parse untrusted CSV data using this configuration, as it can be easily triggered by a malicious file.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26256?
Available Upgrade Options
- fast-csv
- <4.3.6 → Upgrade to 4.3.6
- @fast-csv/parse
- <4.3.6 → Upgrade to 4.3.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-26256
- https://osv.dev/vulnerability/GHSA-8cv5-p934-3hwp
- https://github.com/C2FO/fast-csv
- https://www.npmjs.com/package/@fast-csv/parse
- https://lgtm.com/query/8609731774537641779/
- https://lgtm.com/query/8609731774537641779
- https://www.npmjs.com/advisories/1588
- https://www.npmjs.com/package/fast-csv
- https://www.npmjs.com/advisories/1587
- https://github.com/C2FO/fast-csv/issues/540
What are Similar Vulnerabilities to CVE-2020-26256?
Similar Vulnerabilities: CVE-2020-7753 , CVE-2020-7662 , CVE-2019-10756 , CVE-2019-10771 , CVE-2020-8174
