CVE-2021-3803
DoS (Denial of Service) vulnerability in nth-check
What is CVE-2021-3803 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the 'nth-check' package, exploitable by crafted invalid CSS nth-checks. It leads to excessive processing time and a Denial of Service. Exploitation is relatively straightforward for an attacker who can supply malicious CSS nth-check strings.
Affected Software
Technical Details
The 'nth-check' package contains a Regular Expression Denial of Service (ReDoS) vulnerability. The regex used to parse CSS nth-checks, specifically the sub-pattern `\s*(?:([+-]?)\s*(\d+))?`, exhibits catastrophic backtracking due to quantified overlapping adjacency when processing carefully crafted invalid input. As shown in the provided PoC, input strings like `'2n' + ' '.repeat(i*10000) + "!"` cause the processing time to increase exponentially with the length of the input. This extreme processing time consumes excessive CPU resources, making the application unresponsive and leading to a resource exhaustion-based Denial of Service (DoS) when `nthCheck.parse()` is invoked with such malicious input.
What is the Impact of CVE-2021-3803?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU resources, rendering the affected application or system unresponsive.
What is the Exploitability of CVE-2021-3803?
Exploitation of this ReDoS vulnerability is of low complexity. An attacker simply needs to supply a specially crafted invalid CSS nth-check string to any component that uses the `nth-check` package for parsing. No authentication or privileged access is required if the application processes untrusted input in the form of CSS selectors or similar strings using `nth-check`. This attack can typically be performed remotely if the application takes user-supplied input that's subsequently processed by the vulnerable function. The risk factors that increase the likelihood of exploitation include publicly exposed APIs or web forms that accept and process arbitrary strings without robust input validation, especially if those strings could resemble or contain parts of CSS nth-check patterns.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3803?
About the Fix from Resolved Security
This patch replaces an unsafe regular expression used to parse CSS nth-child formulas with a strict state-machine parser, preventing malicious input from triggering regular expression denial of service (ReDoS). It fixes CVE-2021-3803 by removing the potentially expensive regex evaluation and performing explicit parsing and validation, making it resistant to crafted inputs that previously could cause excessive backtracking and slow processing.
Available Upgrade Options
- nth-check
- <2.0.1 → Upgrade to 2.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0
- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html
- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0
- https://github.com/fb55/nth-check
- https://osv.dev/vulnerability/GHSA-rp65-9cf3-cjxr
- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726
- https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-3803
- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726
What are Similar Vulnerabilities to CVE-2021-3803?
Similar Vulnerabilities: CVE-2022-21670 , CVE-2021-45105 , CVE-2021-44228 , CVE-2023-35805 , CVE-2022-23529
