CVE-2021-3807
Inefficient Regular Expression Complexity vulnerability in ansi-regex

Inefficient Regular Expression Complexity No known exploit Fixable By Resolved Security

What is CVE-2021-3807 About?

This vulnerability in `ansi-regex` concerns Inefficient Regular Expression Complexity, which can lead to a denial of service (DoS) attack. By crafting specific invalid ANSI escape codes, an attacker can trigger excessive processing by the regular expression engine. Exploitation is relatively easy as it only requires sending a specially crafted input.

Affected Software

  • ansi-regex
    • >4.0.0, <4.1.1
    • >3.0.0, <3.0.1
    • >6.0.0, <6.0.1
    • >5.0.0, <5.0.1

Technical Details

The `ansi-regex` library is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This occurs because certain sub-patterns within the regex, specifically `[[\]()#;?]*` and `(?:;[-a-zA-Z\d\/#&.:=?%@~_]*)*`, exhibit super-linear (e.g., exponential or polynomial) time complexity when processing malformed input. An attacker can craft a string, such as `"\u001B["+ ";".repeat(i*10000)`, containing an excessive number of back-to-back delimiters or repetitions that cause the regex engine to backtrack an inordinate number of times. This large amount of backtracking consumes significant CPU resources, leading to a denial of service where the application becomes unresponsive or crashes while attempting to validate the input against the regex.

What is the Impact of CVE-2021-3807?

Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU resources, making the application unresponsive or crashing it.

What is the Exploitability of CVE-2021-3807?

Exploiting this Inefficient Regular Expression Complexity (ReDoS) vulnerability is generally low complexity. The attacker primarily needs to be able to submit crafted input strings to an application that uses the vulnerable `ansi-regex` library for validation or parsing of ANSI escape codes. There are typically no authentication or specific privilege requirements, as the attack often targets public-facing input fields or protocols. This is a remote vulnerability. The main prerequisite is that the application must process attacker-controlled data using the susceptible regular expression. Risk factors include web applications processing user-supplied text with ANSI escape sequences, chat applications, or any environment where terminal output might be sanitized.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2021-3807?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch tightens the regular expression to prevent catastrophic backtracking when parsing ANSI escape codes, which could otherwise enable ReDoS (Regular Expression Denial of Service) attacks. By more strictly specifying valid escape sequence patterns, it mitigates the risk described in CVE-2021-3807, where crafted malicious input could make the application hang or become unresponsive.

Available Upgrade Options

  • ansi-regex
    • >3.0.0, <3.0.1 → Upgrade to 3.0.1
  • ansi-regex
    • >4.0.0, <4.1.1 → Upgrade to 4.1.1
  • ansi-regex
    • >5.0.0, <5.0.1 → Upgrade to 5.0.1
  • ansi-regex
    • >6.0.0, <6.0.1 → Upgrade to 6.0.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-3807?

Similar Vulnerabilities: CVE-2020-28282 , CVE-2020-7798 , CVE-2020-28189 , CVE-2021-23343 , CVE-2021-23425

All Rights reserved 2025
Privacy Policy