CVE-2020-36649
Regular Expression Denial of Service (ReDoS) vulnerability in papaparse (npm)
What is CVE-2020-36649 About?
Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDoS). A malformed regular expression within the `parse` function can lead to exponential processing times for non-numerical inputs. This allows attackers to stall systems and mount a denial of service simply by providing malicious input data.
Affected Software
Technical Details
The papaparse library, specifically versions prior to 5.2.0, contains a Regular Expression Denial of Service (ReDoS) vulnerability. Within the parse function, an internal regular expression used for parsing CSV or similar data is malformed. This regex exhibits 'catastrophic backtracking' when presented with certain crafted non-numerical input strings. When such input is passed to the parse function, the regex engine enters an inefficient state, consuming an exponential amount of CPU time to process the input. This excessive computation blocks the application's event loop, leading to resource exhaustion and a denial of service. The attack vector involves submitting maliciously crafted data that triggers this pathological regex behavior.
What is the Impact of CVE-2020-36649?
Successful exploitation may allow attackers to consume excessive CPU resources, leading to a denial of service and causing the application to become unresponsive.
What is the Exploitability of CVE-2020-36649?
Exploitation of this vulnerability is of low complexity. An attacker needs to provide a specially crafted non-numerical input string to any application endpoint that utilizes the vulnerable papaparse.parse function. No authentication is typically required if the application processes untrusted user-supplied data in a format (e.g., CSV) that is handled by papaparse. This is a remote exploitation scenario. The attacker does not need any specific privileges. The likelihood of exploitation increases if the application publicly exposes endpoints that accept and parse data using papaparse without input validation or rate limiting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-36649?
About the Fix from Resolved Security
The patch tightens the FLOAT regular expression by removing the case-insensitive flag and restricting valid float formats, which prevents certain non-numeric strings from being incorrectly parsed as numbers. This addresses CVE-2020-36649 by ensuring that malicious data such as "Infinity", "NaN", or scientific notation with malformed inputs is not misinterpreted as a valid float, thus preventing potential data integrity or security issues.
Available Upgrade Options
- papaparse
- <5.2.0 → Upgrade to 5.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://vuldb.com/?id.218004
- https://github.com/mholt/PapaParse/pull/779
- https://github.com/mholt/PapaParse/releases/tag/5.2.0
- https://vuldb.com/?ctiid.218004
- https://github.com/mholt/PapaParse
- https://vuldb.com/?ctiid.218004
- https://vuldb.com/?id.218004
- https://github.com/mholt/PapaParse/pull/779
- https://osv.dev/vulnerability/GHSA-798h-g4j5-5537
- https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621
What are Similar Vulnerabilities to CVE-2020-36649?
Similar Vulnerabilities: CVE-2020-7733 , CVE-2020-7734 , CVE-2020-7736 , CVE-2020-7739 , CVE-2020-7740
