CVE-2021-33502
ReDoS vulnerability in normalize-url (npm)
What is CVE-2021-33502 About?
This ReDoS (regular expression denial of service) vulnerability in the 'normalize-url' package affects Node.js applications, leading to exponential performance degradation for 'data:' URLs. This can result in a denial of service for the application processing such URLs. Exploitation is straightforward, requiring an attacker to provide maliciously crafted 'data:' URLs.
Affected Software
- normalize-url
- >4.3.0, <4.5.1
- >5.0.0, <5.3.1
- >6.0.0, <6.0.1
Technical Details
The 'normalize-url' package before versions 4.5.1, 5.3.1, and 6.0.1 contains a ReDoS vulnerability. This occurs because the regular expression used within the package exhibits exponential time complexity when processing certain 'data:' URLs. An attacker can construct a 'data:' URL that, when passed to the 'normalize-url' function, causes the regular expression engine to spend an inordinate amount of time backtracking, consuming excessive CPU resources. This prolonged processing time effectively renders the application unresponsive, leading to a denial of service.
What is the Impact of CVE-2021-33502?
Successful exploitation may allow attackers to degrade application performance, leading to a denial of service.
What is the Exploitability of CVE-2021-33502?
Exploitation of this ReDoS vulnerability is of low complexity. It requires no authentication or specific privileges, as an attacker only needs to be able to submit a specially crafted 'data:' URL to an application using the vulnerable 'normalize-url' package. This is typically a remote attack, as the malicious URL would be processed by a server-side application. The main prerequisite is that the application must be accepting and processing URLs, where one or more are 'data:' URLs, and using the affected version of the 'normalize-url' package. The likelihood of exploitation increases if the application processes untrusted external input that could contain URLs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-33502?
About the Fix from Resolved Security
The patch updates the regular expression used for parsing data URLs to make matching more efficient and less susceptible to catastrophic backtracking from maliciously crafted input. This change fixes CVE-2021-33502 by preventing denial-of-service attacks where an attacker could supply a specially crafted "data:" URL causing excessive CPU usage and freezing the process.
Available Upgrade Options
- normalize-url
- >4.3.0, <4.5.1 → Upgrade to 4.5.1
- normalize-url
- >5.0.0, <5.3.1 → Upgrade to 5.3.1
- normalize-url
- >6.0.0, <6.0.1 → Upgrade to 6.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sindresorhus/normalize-url
- https://osv.dev/vulnerability/GHSA-px4h-xg32-q955
- https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103
- https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1
- https://security.netapp.com/advisory/ntap-20210706-0001
- https://security.netapp.com/advisory/ntap-20210706-0001/
- https://nvd.nist.gov/vuln/detail/CVE-2021-33502
- https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1
What are Similar Vulnerabilities to CVE-2021-33502?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-26116 , CVE-2022-45147 , CVE-2022-26279 , CVE-2022-21163
