CVE-2021-43307
Denial of Service vulnerability in semver-regex (npm)
What is CVE-2021-43307 About?
This is an exponential Regular Expression Denial of Service (ReDoS) vulnerability in the semver-regex npm package. It allows an attacker to cause a denial of service by providing specially crafted input to the test() method, which can consume excessive CPU resources and render the application unresponsive. Exploitation is relatively easy if an attacker can control the input to the vulnerable function.
Affected Software
- semver-regex
- <3.1.4
- >4.0.0, <4.0.3
Technical Details
The vulnerability arises from an insecurely crafted regular expression within the semver-regex npm package. When an attacker provides arbitrary input that matches a specific pattern, the regular expression engine enters a catastrophic backtracking state during its evaluation using the test() method. This catastrophic backtracking causes the regular expression to take an exponential amount of time to process the input, leading to a significant and prolonged consumption of CPU resources, effectively causing a denial of service for the application or service utilizing the package.
What is the Impact of CVE-2021-43307?
Successful exploitation may allow attackers to cause a denial of service, leading to resource exhaustion, unresponsiveness, and unavailability of the affected application or service.
What is the Exploitability of CVE-2021-43307?
Exploitation of this ReDoS vulnerability is relatively simple but requires the attacker to be able to supply arbitrary input to the affected test() method within the semver-regex package. There are no specific authentication or privilege requirements. It can be exploited remotely if the application processes external user-supplied input through the vulnerable function. The primary risk factor is the application's exposure of the test() method to untrusted data, making it vulnerable without complex attack setups.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43307?
About the Fix from Resolved Security
The patch changes several nested quantifiers in a semantic version regular expression from greedy (e.g., {0,100}) to lazy (e.g., {0,100}?), addressing CVE-2021-43307 by preventing catastrophic backtracking and Regular Expression Denial of Service (ReDoS). This change ensures the regex engine does not spend exponential time on crafted malicious input, thereby mitigating the vulnerability without breaking correct matching for valid inputs.
Available Upgrade Options
- semver-regex
- <3.1.4 → Upgrade to 3.1.4
- semver-regex
- >4.0.0, <4.0.3 → Upgrade to 4.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c
- https://github.com/sindresorhus/semver-regex
- https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349/
- https://osv.dev/vulnerability/GHSA-4x5v-gmq8-25ch
- https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349
- https://nvd.nist.gov/vuln/detail/CVE-2021-43307
What are Similar Vulnerabilities to CVE-2021-43307?
Similar Vulnerabilities: CVE-2022-21222 , CVE-2019-10747 , CVE-2018-3721 , CVE-2020-28283 , CVE-2021-23377
