CVE-2020-26304
Regular Expression Denial of Service (ReDoS) vulnerability in foundation-sites (npm)
What is CVE-2020-26304 About?
Foundation framework versions 6.3.3 and prior contain one or more regular expressions vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can supply specially crafted input that causes the regular expression engine to consume excessive processing time, leading to a denial of service. Exploitation is relatively easy by supplying malicious input that triggers the ReDoS condition.
Affected Software
Technical Details
The vulnerability lies within the Foundation front-end framework, specifically in versions up to and including 6.3.3, where certain regular expressions are poorly constructed, making them susceptible to ReDoS attacks. A ReDoS vulnerability occurs when a regular expression, due to its structure (e.g., excessive backtracking caused by nested quantifiers or overlapping optional groups), takes an exponentially longer time to process certain strings as the input string length increases. An attacker can craft a specific input string that, when evaluated against the vulnerable regular expression, causes an exorbitant amount of CPU time to be consumed. This excessive processing leads to the application becoming unresponsive or crashing, resulting in a denial of service. The exact vulnerable regular expression(s) are not specified, but the common mechanism involves feeding a string that maximizes backtracking operations.
What is the Impact of CVE-2020-26304?
Successful exploitation may allow attackers to cause a denial of service, rendering affected web applications or services unresponsive and unavailable to users.
What is the Exploitability of CVE-2020-26304?
Exploitation is generally remote and does not require authentication or elevated privileges. An attacker simply needs to provide a specially crafted input that interacts with the vulnerable regular expression. This can often be done via standard input fields, URL parameters, or other user-controlled data points that are subsequently processed by the vulnerable Regex. The complexity is low once the specific vulnerable regular expression and the corresponding malicious input pattern are identified. The primary risk factors are public-facing web applications or services that use the vulnerable Foundation framework version and process untrusted user input with susceptible regular expressions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26304?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites
- https://securitylab.github.com/advisories/GHSL-2020-290-redos-foundation-sites/
- https://github.com/foundation/foundation-sites/issues/12180
- https://osv.dev/vulnerability/GHSA-p8pc-3f7w-jr5q
- https://github.com/foundation/foundation-sites
- https://nvd.nist.gov/vuln/detail/CVE-2020-26304
- https://github.com/foundation/foundation-sites/issues/12180
What are Similar Vulnerabilities to CVE-2020-26304?
Similar Vulnerabilities: CVE-2020-8174 , CVE-2021-23337 , CVE-2022-25860 , CVE-2023-28100 , CVE-2024-XXXXX
