CVE-2021-3795
ReDoS vulnerability in semver-regex (npm)
What is CVE-2021-3795 About?
The npm `semver-regex` package is vulnerable to an Inefficient Regular Expression Complexity (ReDoS) attack. This flaw allows an attacker to craft input that causes excessive processing time, leading to a denial of service. Exploitation is straightforward, requiring specific malicious input.
Affected Software
- semver-regex
- <3.1.3
- >4.0.0, <4.0.1
Technical Details
The semver-regex package contains a regular expression that exhibits inefficient complexity, specifically catastrophic backtracking, when processing certain malformed input strings. An attacker can construct a string that, while matching common patterns for semantic versioning, includes specific characters or sequences that force the regex engine into an extremely long evaluation path. This exponential increase in processing time for relatively short, malicious inputs consumes excessive CPU resources, rendering the application unresponsive and causing a denial of service.
What is the Impact of CVE-2021-3795?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness, resource exhaustion, and service unavailability.
What is the Exploitability of CVE-2021-3795?
Exploitation involves crafting a specific string input that triggers the inefficient regex, making the complexity low to moderate. No authentication or specific privileges are required, as the attack targets the regex engine itself. It is a remote vulnerability, typically occurring when the application processes untrusted user input that is then validated or parsed by the semver-regex library. The main constraint is that the application uses the vulnerable semver-regex package. Risk factors increase if the application publicly exposes any input that is processed by semver-regex.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3795?
About the Fix from Resolved Security
The patch modifies the regular expression to include upper bounds on input length and repetition counts, preventing excessive backtracking. This mitigates the Regular Expression Denial of Service (ReDoS) vulnerability described in CVE-2021-3795, ensuring that maliciously crafted input cannot cause catastrophic performance issues or freeze the application.
Available Upgrade Options
- semver-regex
- <3.1.3 → Upgrade to 3.1.3
- semver-regex
- >4.0.0, <4.0.1 → Upgrade to 4.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28
- https://github.com/sindresorhus/semver-regex
- https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28
- https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7
- https://osv.dev/vulnerability/GHSA-44c6-4v22-4mhx
- https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7
- https://nvd.nist.gov/vuln/detail/CVE-2021-3795
What are Similar Vulnerabilities to CVE-2021-3795?
Similar Vulnerabilities: CVE-2016-10702 , CVE-2017-1000049 , CVE-2019-10744 , CVE-2020-8260 , CVE-2021-23336
