CVE-2021-27293
Regular Expression Denial of Service (ReDoS) vulnerability in RestSharp (NuGet)
What is CVE-2021-27293 About?
RestSharp versions before 106.11.8-alpha.0.13 are susceptible to a Regular Expression Denial of Service (ReDoS) vulnerability during DateTime string conversion. An attacker can supply a specially crafted malicious string through a server response, causing the client using RestSharp to become unresponsive due to excessive processing time, leading to a denial of service. Exploitation is relatively easy as it only requires sending a malicious string.
Affected Software
Technical Details
The vulnerability resides in RestSharp's handling of DateTime string conversions, specifically within a regular expression used for this purpose. When RestSharp receives a server response containing a malicious string designed to trigger catastrophic backtracking in this regular expression, the regular expression engine will consume a disproportionate amount of computational resources. This excessive processing leads to the client application becoming unresponsive, effectively denying service to the user. The attack vector is a specially crafted string embedded in a legitimate or seemingly legitimate server response.
What is the Impact of CVE-2021-27293?
Successful exploitation may allow attackers to trigger a denial-of-service condition in client applications, rendering them unresponsive and unavailable.
What is the Exploitability of CVE-2021-27293?
Exploitation of this ReDoS vulnerability involves sending a specifically crafted string to the vulnerable RestSharp client. The attack is remote, as it originates from a server responding to the client's request. No authentication or special privileges are required on the client side, making it accessible to any attacker who can control or influence server responses. The primary constraint is the attacker's ability to inject a malicious string into a response that the RestSharp client will process as a DateTime, triggering the vulnerable regular expression. The likelihood of exploitation is increased if the application frequently communicates with untrusted or compromised servers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27293?
About the Fix from Resolved Security
This patch changes the regular expression for matching "new Date(...)" patterns to only accept a single signed integer, preventing the use of a potentially unsafe "*" quantifier. This mitigates CVE-2021-27293 by ensuring only properly formatted date strings are parsed, blocking crafted inputs that could result in denial of service or code execution through regular expression abuse.
Available Upgrade Options
- RestSharp
- <106.11.8-alpha.0.13 → Upgrade to 106.11.8-alpha.0.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-9pq7-rcxv-47vq
- https://restsharp.dev/
- https://github.com/restsharp/RestSharp/issues/1556
- https://github.com/restsharp/RestSharp/commit/be39346784b68048b230790d15333574341143bc
- https://nvd.nist.gov/vuln/detail/CVE-2021-27293
- https://github.com/restsharp/RestSharp/issues/1556
- https://restsharp.dev
What are Similar Vulnerabilities to CVE-2021-27293?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-28628 , CVE-2023-20862 , CVE-2022-24707 , CVE-2021-21345
