CVE-2022-1929
Denial of Service vulnerability in devcert (npm)
What is CVE-2022-1929 About?
This vulnerability is an exponential Regular Expression Denial of Service (ReDoS) affecting the devcert npm package. An attacker can trigger this by supplying specially crafted input to the `certificateFor` method, consuming excessive CPU resources. This can lead to a denial of service for the application using the package.
Affected Software
Technical Details
The exponential ReDoS vulnerability in the devcert npm package occurs in the certificateFor method. This method likely uses a regular expression that, when confronted with a crafted input string, exhibits 'catastrophic backtracking' behavior. Catastrophic backtracking happens when a regex engine attempts to match a pattern, but due to ambiguity in quantifiers (e.g., +, *) and alternation within the pattern, it explores an extremely large number of paths before failing to match or succeeding. An attacker can create an input string that exploits these ambiguities, causing the regex engine to take an exponentially increasing amount of time to process the input, thereby consuming all available CPU resources and leading to a denial of service for the application.
What is the Impact of CVE-2022-1929?
Successful exploitation may allow attackers to exhaust system resources, leading to a denial of service for the affected application or service.
What is the Exploitability of CVE-2022-1929?
Exploitation requires the attacker to be able to supply arbitrary input to the certificateFor method of the devcert package. The complexity of crafting the malicious input is moderate, requiring knowledge of regular expression vulnerabilities. Authentication requirements are dependent on whether the certificateFor method is exposed to unauthenticated users or through an authenticated process. Privilege requirements are typically low since the attack targets the application's processing rather than system-level access. This can be a remote vulnerability if the input path is accessible over the network. Special conditions include the application using a vulnerable version of the devcert package and exposing the input to the certificateFor method from untrusted sources. The risk factor increases significantly if the application processes user-supplied data in this method without proper sanitization or length limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-1929?
About the Fix from Resolved Security
This patch removes the custom, vulnerable regular expression for domain validation and replaces it with the well-maintained is-valid-domain library, eliminating the risk of Regular Expression Denial of Service (ReDoS) attacks. This directly fixes CVE-2022-1929 by preventing attackers from using malicious input to hang the application through catastrophic regex backtracking, ensuring domain validation remains efficient and secure.
Available Upgrade Options
- devcert
- <1.2.1 → Upgrade to 1.2.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-1929
- https://research.jfrog.com/vulnerabilities/devcert-redos-xray-211352
- https://github.com/davewasmer/devcert
- https://research.jfrog.com/vulnerabilities/devcert-redos-xray-211352/
- https://github.com/davewasmer/devcert/commit/b0763215f6683271d296fda98f7ef7bcd4a55977
- https://osv.dev/vulnerability/GHSA-fp36-299x-pwmw
What are Similar Vulnerabilities to CVE-2022-1929?
Similar Vulnerabilities: CVE-2022-24999 , CVE-2021-3801 , CVE-2020-28500 , CVE-2020-7661 , CVE-2020-7762
