CVE-2021-23425
Regular Expression Denial of Service (ReDoS) vulnerability in trim-off-newlines
What is CVE-2021-23425 About?
This vulnerability in all versions of the 'trim-off-newlines' package allows for a Regular Expression Denial of Service (ReDoS) via malicious string processing. This can lead to a denial of service, making the affected application unresponsive. Exploiting this is relatively straightforward, requiring only a crafted input string.
Affected Software
Technical Details
The 'trim-off-newlines' package is vulnerable to ReDoS. This condition arises when a regular expression with a catastrophic backtracking pattern is used to process certain malicious input strings. When such a string is fed to the vulnerable regular expression, the processing time escalates exponentially with the input length, causing the application to consume excessive CPU resources and become unresponsive, effectively leading to a denial of service.
What is the Impact of CVE-2021-23425?
Successful exploitation may allow attackers to cause a denial of service, making the targeted application or service unavailable to legitimate users.
What is the Exploitability of CVE-2021-23425?
Exploitation of this vulnerability involves supplying a specially crafted input string to the 'trim-off-newlines' package. The complexity level is low, as it typically only requires sending a malicious string. There are no specific authentication or privilege requirements if the application processes user-supplied input through the vulnerable function. This is usually a remote vulnerability, where an attacker can send data over a network. The primary risk factor is any application that directly or indirectly processes untrusted user input using the affected package's string processing functionality.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23425?
Available Upgrade Options
- trim-off-newlines
- <1.0.3 → Upgrade to 1.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-38fc-wpqx-33j7
- https://github.com/stevemao/trim-off-newlines
- https://snyk.io/vuln/SNYK-JS-TRIMOFFNEWLINES-1296850
- https://nvd.nist.gov/vuln/detail/CVE-2021-23425
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1567197
- https://github.com/stevemao/trim-off-newlines/blob/master/index.js%23L6
- https://github.com/stevemao/trim-off-newlines/pull/3
- https://snyk.io/vuln/SNYK-JS-TRIMOFFNEWLINES-1296850
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1567197
- https://github.com/stevemao/trim-off-newlines/blob/master/index.js%23L6
What are Similar Vulnerabilities to CVE-2021-23425?
Similar Vulnerabilities: CVE-2021-23341 , CVE-2021-23346 , CVE-2021-29060 , CVE-2020-8260 , CVE-2022-21665
