CVE-2021-3749
Inefficient Regular Expression Complexity vulnerability in axios (npm)
What is CVE-2021-3749 About?
This vulnerability is classified as Inefficient Regular Expression Complexity (ReDoS) in the axios library before version 0.21.2. It can lead to a denial of service by causing the application to consume excessive resources when processing a specially crafted input string. Exploiting this is moderately easy, requiring only a malicious input to a vulnerable endpoint.
Affected Software
Technical Details
The vulnerability in axios before v0.21.2 stems from the use of an inefficient regular expression. When processing certain malicious input strings, this regular expression can trigger 'catastrophic backtracking'. This means that the time taken by the regular expression engine to evaluate the input grows exponentially with the length of the input, instead of linearly. As a result, processing a seemingly small crafted input can consume significant CPU resources, leading to a denial of service (DoS) for the affected service or application by locking up the process or thread attempting to evaluate the regular expression.
What is the Impact of CVE-2021-3749?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU resources, leading to unresponsiveness or crashes of the application, thereby disrupting service availability.
What is the Exploitability of CVE-2021-3749?
Exploitation requires sending a specially crafted input string that triggers catastrophic backtracking in the vulnerable regular expression. The complexity is low to moderate, as it primarily involves generating a specific malicious string. No authentication is typically required if the input is processed by a public-facing endpoint. Privilege requirements are minimal, as the attack targets the application's processing capabilities. It is typically a remote access vulnerability. Special conditions include the application accepting user-controlled input that is subsequently processed by the vulnerable regex. Risk factors that increase exploitation likelihood include applications that expose API endpoints accepting arbitrary string input without sufficient validation or length limits, making them susceptible to ReDoS attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| T-Guerrero | Link | Axios Redos (CVE-2021-3749) proof of concept |
What are the Available Fixes for CVE-2021-3749?
About the Fix from Resolved Security
This patch changes the whitespace-trimming function to use the built-in String.prototype.trim() method when available, falling back to a safer regular expression if not. This fixes CVE-2021-3749 by addressing an issue in the original regex that could be exploited in V8 by special RegExp input, potentially leading to denial of service; the new implementation avoids the problematic regex usage.
Available Upgrade Options
- axios
- <0.21.2 → Upgrade to 0.21.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E
- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31
- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E
- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31
- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-3749?
Similar Vulnerabilities: CVE-2022-21681 , CVE-2021-42340 , CVE-2021-27515 , CVE-2020-28198 , CVE-2020-8260
