CVE-2021-23424
Denial of Service vulnerability in ansi-html
What is CVE-2021-23424 About?
This vulnerability in the `ansi-html` package is a Denial of Service (DoS) caused by inefficient processing of malicious input strings. An attacker can supply a specially crafted string, causing the application to become unresponsive, leading to a denial of service. Exploitation is relatively easy, requiring only a malicious input.
Affected Software
Technical Details
The vulnerability exists in all versions of the `ansi-html` package. When a malicious string is provided as input, the package gets stuck in an extremely long processing loop, consuming excessive resources. This prolonged processing time effectively blocks further operations, leading to a Denial of Service state. The specific mechanism involves the package's internal string manipulation or parsing routines failing to handle certain patterns efficiently, causing them to enter an unoptimized or infinite loop-like state when confronted with adversarial input.
What is the Impact of CVE-2021-23424?
Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive and inaccessible to legitimate users. This can lead to operational downtime and a degradation of system performance.
What is the Exploitability of CVE-2021-23424?
Exploitation of this Denial of Service vulnerability is considered low to medium complexity, as it primarily involves providing a specially crafted input string. There are no explicit authentication or privilege requirements mentioned, suggesting that an unauthenticated attacker could potentially trigger the vulnerability if they can supply input to the affected package. Access would likely be remote, as the package is typically used in web or server-side contexts where user input is processed. The primary risk factor is the application's exposure to untrusted user-supplied data that is processed by the `ansi-html` package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23424?
About the Fix from Resolved Security
The patch changes the regular expression in the ansiHTML function to match only a single numeric code in ANSI escape sequences, rather than zero or more. This prevents maliciously crafted input containing complex or multiple ANSI codes from being improperly parsed and potentially introducing untrusted HTML, thereby fixing CVE-2021-23424.
Available Upgrade Options
- ansi-html
- <0.0.8 → Upgrade to 0.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/Tjatse/ansi-html/commit/8142b25bca3133ea060bcc1889277dc482327a63
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1567198
- https://github.com/ioet/time-tracker-ui/security/advisories/GHSA-4fjc-8q3h-8r69
- https://github.com/Tjatse/ansi-html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1567198
- https://nvd.nist.gov/vuln/detail/CVE-2021-23424
- https://osv.dev/vulnerability/GHSA-whgm-jr23-g3j9
- https://snyk.io/vuln/SNYK-JS-ANSIHTML-1296849
- https://snyk.io/vuln/SNYK-JS-ANSIHTML-1296849
- https://github.com/Tjatse/ansi-html/issues/19
What are Similar Vulnerabilities to CVE-2021-23424?
Similar Vulnerabilities: CVE-2019-1000007 , CVE-2020-28498 , CVE-2020-7609 , CVE-2020-7760 , CVE-2021-23382
