CVE-2021-23346
Regular Expression Denial of Service (ReDoS) vulnerability in html-parse-stringify
What is CVE-2021-23346 About?
The 'html-parse-stringify' package before 2.0.1 and all versions of 'html-parse-stringify2' are vulnerable to a Regular Expression Denial of Service (ReDoS). Sending specially crafted input can cause one of the parsing regular expressions to backtrack excessively, leading to a process freeze. Exploitation is simple and requires only a malicious input string.
Affected Software
- html-parse-stringify
- <2.0.1
- html-parse-stringify2
- <=2.0.1
Technical Details
The 'html-parse-stringify' (before 2.0.1) and 'html-parse-stringify2' packages suffer from a ReDoS vulnerability. This is caused by inefficiently constructed regular expressions used for HTML parsing. When presented with input that specifically triggers pathological backtracking patterns within these regexes, the computational cost increases exponentially with the input length. This consumes excessive CPU resources, causing the process to hang or freeze indefinitely, thereby denying service.
What is the Impact of CVE-2021-23346?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or service unresponsive and unavailable.
What is the Exploitability of CVE-2021-23346?
Exploiting this ReDoS vulnerability is generally straightforward, requiring the attacker to send a specially crafted input string to an application using the vulnerable packages. The complexity level is low. There are typically no authentication or privilege requirements if the application processes untrusted user input with these packages. This is most often a remote vulnerability, as attackers inject malicious strings via web requests or other input channels. The likelihood of exploitation is higher in applications that parse untrusted or externally-sourced HTML content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23346?
Available Upgrade Options
- html-parse-stringify
- <2.0.1 → Upgrade to 2.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rayd/html-parse-stringify2/blob/master/lib/parse.js%23L2
- https://github.com/HenrikJoreteg/html-parse-stringify/commit/c7274a48e59c92b2b7e906fedf9065159e73fe12
- https://osv.dev/vulnerability/GHSA-545q-3fg6-48m7
- https://nvd.nist.gov/vuln/detail/CVE-2021-23346
- https://github.com/HenrikJoreteg/html-parse-stringify/commit/c7274a48e59c92b2b7e906fedf9065159e73fe12
- https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307
- https://github.com/HenrikJoreteg/html-parse-stringify/blob/master/lib/parse.js%23L2
- https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY-1079306
- https://github.com/HenrikJoreteg/html-parse-stringify/releases/tag/v2.0.1
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1080633
What are Similar Vulnerabilities to CVE-2021-23346?
Similar Vulnerabilities: CVE-2021-23425 , CVE-2021-23341 , CVE-2021-29060 , CVE-2020-8260 , CVE-2022-21665
