CVE-2021-33623
regular expression denial-of-service vulnerability in trim-newlines (npm)
What is CVE-2021-33623 About?
This vulnerability is a regular expression denial-of-service (ReDoS) in the `trim-newlines` package used by `@rkesters/gnuplot` for Node.js. It occurs specifically in the `.end()` method, where a crafted input can cause catastrophic backtracking in the regular expression. This leads to resource exhaustion and a denial of service, making it easy to exploit for an attacker who can feed input to the vulnerable method.
Affected Software
- trim-newlines
- <3.0.1
- >4.0.0, <4.0.1
Technical Details
The vulnerability lies within the trim-newlines package, particularly its .end() method, which is utilized by @rkesters/gnuplot. The regular expression used internally by the .end() method is susceptible to catastrophic backtracking. When the method processes a specially crafted input string, the regex engine attempts an exponential number of matching permutations, consuming an excessive amount of CPU and memory resources. This prolonged processing effectively halts the application's operation, leading to a denial of service due to resource exhaustion.
What is the Impact of CVE-2021-33623?
Successful exploitation may allow attackers to disrupt service availability by causing applications to become unresponsive or consume excessive system resources, leading to a denial of service.
What is the Exploitability of CVE-2021-33623?
Exploitation involves crafting a specific string input that triggers the ReDoS vulnerability in the .end() method of the trim-newlines package. The complexity of crafting such input is low once the vulnerable regex is identified. Authentication and privilege requirements would depend on how user input is fed into the @rkesters/gnuplot module and subsequently processed by trim-newlines. If user-controlled data directly or indirectly reaches the .end() method, a remote attack is possible. The main risk factor is the processing of untrusted strings through the vulnerable method without adequate safeguards, increasing the likelihood of resource exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-33623?
About the Fix from Resolved Security
This patch replaces a regular expression based removal of trailing newlines with an explicit loop that only removes trailing \r and \n characters at the end of the string. This fixes CVE-2021-33623 by preventing the regular expression engine from being tricked into excessive backtracking, which could previously be exploited for a Regular Expression Denial of Service (ReDoS) attack.
Available Upgrade Options
- trim-newlines
- <3.0.1 → Upgrade to 3.0.1
- trim-newlines
- >4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html
- https://github.com/sindresorhus/trim-newlines
- https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869
- https://www.npmjs.com/package/trim-newlines
- https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1
- https://security.netapp.com/advisory/ntap-20210702-0007
- https://osv.dev/vulnerability/GHSA-7p7h-4mm5-852v
- https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html
- https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91
- https://www.npmjs.com/package/trim-newlines
What are Similar Vulnerabilities to CVE-2021-33623?
Similar Vulnerabilities: CVE-2022-21680 , CVE-2021-3822 , CVE-2021-3777 , CVE-2016-10707 , CVE-2021-23395
