CVE-2020-7753
Regular Expression Denial of Service (ReDoS) vulnerability in trim (npm)
What is CVE-2020-7753 About?
This vulnerability in all versions of the 'trim' package lower than 0.0.3 allows for a Regular Expression Denial of Service (ReDoS) via the trim() function. An attacker can provide a specially crafted input string that causes the regular expression to consume excessive processing time, leading to a denial of service and making the application unresponsive, which is relatively easy to trigger.
Affected Software
Technical Details
The 'trim' package, in all versions prior to 0.0.3, is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This vulnerability specifically affects the trim() function. The regular expression used internally by the trim() function exhibits catastrophic backtracking behavior when processing certain malformed input strings. An attacker can construct a string that, when passed to trim(), causes the regular expression engine to evaluate an exponential number of possible matching paths. This consumes an inordinate amount of CPU resources, blocking the event loop or process, and ultimately leading to a denial of service for the application or server, rendering it unresponsive to legitimate requests.
What is the Impact of CVE-2020-7753?
Successful exploitation may allow attackers to cause a denial of service, making the affected application or service unresponsive by consuming excessive CPU resources.
What is the Exploitability of CVE-2020-7753?
Exploitation of this ReDoS vulnerability is generally straightforward, requiring the attacker to send a specially crafted input string to any function that utilizes the vulnerable trim() function. The complexity level is low. No prior authentication is needed if the application accepts unauthenticated input that is then processed by trim(). This is primarily a remote attack vector. Privilege requirements are minimal, as the attack targets the application's processing logic rather than requiring elevated permissions. The risk factor for exploitation is high in applications that frequently process untrusted or user-supplied strings with the vulnerable trim() function, especially in single-threaded environments or where input validation is insufficient.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7753?
About the Fix from Resolved Security
This patch fixes CVE-2020-7753 by replacing a vulnerable regex-based whitespace trimming approach with character-by-character and simpler regex alternatives, preventing potential Regular Expression Denial of Service (ReDoS) attacks. The new implementation avoids catastrophic backtracking on large, crafted input strings, thereby addressing the root cause of the vulnerability.
Available Upgrade Options
- trim
- <0.0.3 → Upgrade to 0.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rcc7c2865a52b544a8e49386c6880e9b9ab29bfce1052b5569d09ee4a@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/r51ff3c2a4c7b8402f321eae7e624672cc2295c7bc8c12c8b871f6b0b%40%3Ccommits.airflow.apache.org%3E
- https://github.com/component/trim/blob/master/index.js%23L6
- https://github.com/component/trim
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132
- https://github.com/component/trim/blob/master/index.js%23L6
- https://github.com/component/trim/blob/master/index.js
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1022132
- https://lists.apache.org/thread.html/r75b8d0b88833d7d96afcdce3ead65e212572ead4e7a9f34d21040196@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/rb8462df3b6484e778905c09cd49a8912e1a302659860017ebe36da03@%3Ccommits.airflow.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-7753?
Similar Vulnerabilities: CVE-2020-7662 , CVE-2020-26256 , CVE-2019-10756 , CVE-2019-10771 , CVE-2020-8174
