CVE-2021-3777
Inefficient Regular Expression Complexity vulnerability in tmpl (npm)
What is CVE-2021-3777 About?
This vulnerability is due to Inefficient Regular Expression Complexity (ReDoS) in the 'tmpl' package, which can lead to resource exhaustion. An attacker can supply crafted input that causes the regular expression to consume excessive processing power, resulting in a denial of service. Exploitation is relatively easy for someone who can provide controlled string input to the templating function.
Affected Software
Technical Details
The nodejs-tmpl library for string formatting utilizes regular expressions that are vulnerable to Inefficient Regular Expression Complexity, commonly known as ReDoS (Regular expression Denial of Service). This occurs when a specific regular expression, combined with a specially crafted input string, causes the regex engine to engage in catastrophic backtracking. The engine attempts an exponentially increasing number of paths to match the input, consuming an inordinate amount of CPU cycles. Sending such a crafted string to the tmpl function can cause the server or application processing it to hang or become unresponsive, leading to resource exhaustion and a denial of service condition.
What is the Impact of CVE-2021-3777?
Successful exploitation may allow attackers to disrupt service availability by causing applications to become unresponsive or consume excessive system resources, leading to a denial of service.
What is the Exploitability of CVE-2021-3777?
Exploitation of this ReDoS vulnerability involves providing a malicious string input to the tmpl function. The complexity of the attack is low, as it primarily requires crafting a string that triggers the inefficient regular expression. Authentication and privilege requirements depend on whether the attacker can supply input to the tmpl function, which might be exposed via user-controlled data fields or API endpoints. This can be a remote exploit if the input is accepted from an external source. The primary prerequisite is the 'tmpl' library being used to process untrusted or user-supplied strings, representing a significant risk factor.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3777?
Available Upgrade Options
- tmpl
- <1.0.5 → Upgrade to 1.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/a07b547a-f457-41c9-9d89-ee48bee8a4df
- https://github.com/daaku/nodejs-tmpl/commit/4c654e4d1542f329ed561fd95ccd80f30c6872d6
- https://github.com/daaku/nodejs-tmpl/commit/4c654e4d1542f329ed561fd95ccd80f30c6872d6
- https://huntr.dev/bounties/a07b547a-f457-41c9-9d89-ee48bee8a4df
- https://osv.dev/vulnerability/GHSA-jgrx-mgxx-jf9v
- https://nvd.nist.gov/vuln/detail/CVE-2021-3777
- https://github.com/daaku/nodejs-tmpl
What are Similar Vulnerabilities to CVE-2021-3777?
Similar Vulnerabilities: CVE-2022-21680 , CVE-2021-3822 , CVE-2021-33623 , CVE-2016-10707 , CVE-2021-23395
