CVE-2021-23362
Regular Expression Denial of Service (ReDoS) vulnerability in hosted-git-info (npm)
What is CVE-2021-23362 About?
The `hosted-git-info` npm package before version 3.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability arises from a regular expression with polynomial worst-case time complexity, which can be easily triggered by specially crafted input. Successful exploitation can lead to a denial of service.
Affected Software
- hosted-git-info
- >3.0.0, <3.0.8
- <2.8.9
Technical Details
The hosted-git-info npm package, specifically versions before 3.0.8, contains a Regular Expression Denial of Service (ReDoS) vulnerability. This vulnerability is located within the fromUrl function in index.js, specifically due to the shortcutMatch regular expression. This regular expression exhibits polynomial worst-case time complexity, meaning that as the length of the input string increases, the time required to process it grows exponentially. An attacker can craft a specific input string that causes the regular expression engine to backtrack excessively, consuming significant CPU resources and making the application unresponsive, thus leading to a denial of service.
What is the Impact of CVE-2021-23362?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application unresponsive and unavailable.
What is the Exploitability of CVE-2021-23362?
Exploitation of this ReDoS vulnerability involves providing a specially crafted input string to the fromUrl function. The complexity is low, as the attacker only needs to understand how to construct the malicious string that triggers the polynomial time complexity. There are no authentication or privilege requirements; any user who can supply input to the affected function can exploit it. This is typically a remote vulnerability, assuming the application processes untrusted URLs. The primary condition is that the application uses hosted-git-info to parse attacker-controlled URLs. Risk factors include applications that process external URLs from untrusted sources without input validation or length restrictions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23362?
About the Fix from Resolved Security
The patch addresses CVE-2021-23362 by tightening the regular expression used to parse Git URLs and sanitizing the extracted project name to remove a trailing ".git" suffix. This prevents malicious crafted URLs from bypassing URL parsing logic, helping to mitigate the risk of remote code execution or unintended command execution via specially crafted Git URLs.
Available Upgrade Options
- hosted-git-info
- <2.8.9 → Upgrade to 2.8.9
- hosted-git-info
- >3.0.0, <3.0.8 → Upgrade to 3.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-43f8-2h32-f4cj
- https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/npm/hosted-git-info/pull/76
- https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/npm/hosted-git-info/commits/v2
- https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01
- https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
- https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
What are Similar Vulnerabilities to CVE-2021-23362?
Similar Vulnerabilities: CVE-2021-33587 , CVE-2023-38545 , CVE-2023-45803 , CVE-2023-34062 , CVE-2022-24756
