CVE-2021-23343
Regular Expression Denial of Service (ReDoS) vulnerability in path-parse
What is CVE-2021-23343 About?
This is a Regular Expression Denial of Service (ReDoS) vulnerability in the 'path-parse' npm package. It affects specific regular expressions (splitDeviceRe, splitTailRe, splitPathRe) that exhibit polynomial worst-case time complexity, allowing an attacker to craft input that exhausts system resources. Exploitation is relatively easy, requiring only a malicious string input.
Affected Software
Technical Details
The 'path-parse' npm package is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This vulnerability stems from several regular expressions within the package, namely 'splitDeviceRe', 'splitTailRe', and 'splitPathRe'. These regexes are constructed in a way that, when presented with specific maliciously crafted input strings, they exhibit polynomial worst-case time complexity. This characteristic allows an attacker to supply a pathological input that causes the regex engine to backtrack excessively, consuming disproportionate CPU resources and leading to a denial-of-service condition.
What is the Impact of CVE-2021-23343?
Successful exploitation may allow attackers to cause a denial-of-service condition by consuming excessive CPU resources, making the application unresponsive or crashing it.
What is the Exploitability of CVE-2021-23343?
Exploitation is relatively straightforward, requiring an attacker to provide a specially crafted string input that targets the vulnerable regular expressions. There are typically no authentication or privilege requirements to trigger this vulnerability, as it depends on how the application processes untrusted string input. This is generally a remote vulnerability if the application accepts and processes user-supplied path strings. The attacker's ability to inject a pathological string into any function that utilizes the affected 'path-parse' regexes is the primary condition for exploitation. The risk factor is high if the application frequently processes user input that might resemble file paths without strict validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23343?
About the Fix from Resolved Security
The patch rewrites regular expressions used to parse file paths to avoid catastrophic backtracking, which could be triggered by specially crafted input and exploited in a Regular Expression Denial of Service (ReDoS) attack, as identified in CVE-2021-23343. By restructuring the regex patterns and simplifying path parsing logic, the patch eliminates excessive backtracking on long/unusual input, fixing the underlying vulnerability.
Available Upgrade Options
- path-parse
- <1.0.7 → Upgrade to 1.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028
- https://github.com/jbgutierrez/path-parse
- https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85%40%3Cdev.myfaces.apache.org%3E
- https://github.com/jbgutierrez/path-parse/issues/8
- https://nvd.nist.gov/vuln/detail/CVE-2021-23343
- https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E
- https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
- https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7
- https://github.com/jbgutierrez/path-parse/pull/10
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028
What are Similar Vulnerabilities to CVE-2021-23343?
Similar Vulnerabilities: CVE-2021-23363 , CVE-2020-28269 , CVE-2020-7610 , CVE-2019-10744 , CVE-2019-11358
