CVE-2020-7760
Denial of Service vulnerability in codemirror
What is CVE-2020-7760 About?
This is a Regular Expression Denial of Service (ReDOS) vulnerability in CodeMirror versions prior to 5.58.2. A specially crafted input string, when processed by a vulnerable regular expression, can cause excessive CPU utilization, leading to a denial of service. Exploiting this vulnerability requires the ability to provide input that is processed by the specific regex pattern.
Affected Software
Technical Details
The vulnerability affects the `codemirror` package (and `org.apache.marmotta.webjars:codemirror`) before version 5.58.2. The core issue lies within a specific regular expression located in `mode/javascript/javascript.jsL129` in CodeMirror's source. The sub-pattern `(s|/*.*?*/)*` within this regex exhibits catastrophic backtracking behavior. When an attacker supplies a carefully constructed input string that triggers this backtracking, the regular expression engine consumes an inordinate amount of CPU resources and time to process it, effectively leading to a Denial of Service condition on the application or server running CodeMirror.
What is the Impact of CVE-2020-7760?
Successful exploitation may allow attackers to consume excessive system resources, leading to performance degradation or complete unavailability of the affected service.
What is the Exploitability of CVE-2020-7760?
Exploitation of this ReDOS vulnerability has a moderate complexity. It requires an attacker to be able to submit input that is processed by the vulnerable regular expression. Prerequisites include an application using the affected CodeMirror versions and exposing an interface (e.g., text editor, code input field) where user-supplied content is parsed using the vulnerable regex. Authentication requirements vary; if the input field is public, no authentication is needed. Otherwise, user authentication may be required. Privilege requirements are generally low, as only input submission is needed. This is typically a remote attack, as code editors are often part of web applications. The risk is heightened in environments where users can submit arbitrary or untrusted code/text for syntax highlighting or parsing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7760?
Available Upgrade Options
- codemirror
- <5.58.2 → Upgrade to 5.58.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/codemirror/CodeMirror/commit/55d0333907117c9231ffdf555ae8824705993bbb
- https://www.debian.org/security/2020/dsa-4789
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBCOMPONENTS-1024446
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEMARMOTTAWEBJARS-1024450
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1024447
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.npmjs.com/package/codemirror
- https://www.debian.org/security/2020/dsa-4789
- https://www.oracle.com//security-alerts/cpujul2021.html
What are Similar Vulnerabilities to CVE-2020-7760?
Similar Vulnerabilities: CVE-2021-23422 , CVE-2021-23398 , CVE-2020-15103 , CVE-2020-7756 , CVE-2020-7740
