CVE-2022-37620
Regular Expression Denial of Service (ReDoS) vulnerability in html-minifier (npm)
What is CVE-2022-37620 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) flaw found in kangax html-minifier 4.0.0, caused by an inefficient `reCustomIgnore` regular expression. A specially crafted input can cause the regular expression engine to consume excessive processing time, leading to a denial of service. Exploitation is straightforward, requiring specific, malformed input that targets the regex.
Affected Software
Technical Details
The ReDoS flaw in kangax/html-minifier version 4.0.0 is due to a vulnerable reCustomIgnore regular expression. This regex exhibits catastrophic backtracking behavior when confronted with certain malformed or highly repetitive input strings. When the HTML minifier attempts to process such input, the reCustomIgnore regex consumes an exponential amount of CPU time to evaluate, effectively causing the application to hang or become unresponsive. The attack vector involves providing a crafted HTML input that triggers this worst-case scenario for the regex engine.
What is the Impact of CVE-2022-37620?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unresponsive to legitimate users.
What is the Exploitability of CVE-2022-37620?
Exploitation complexity is low. An attacker needs to craft a specific input string that exploits the reCustomIgnore regular expression's backtracking vulnerability. No authentication or special privileges are required; any ability to submit input that gets processed by the html-minifier is sufficient. This is typically a remote vulnerability if the application exposes HTML content processing to external input. Risk factors include any application that minifies user-supplied or untrusted HTML content using the vulnerable version of the library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-37620?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181
- https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338
- https://github.com/kangax/html-minifier
- https://osv.dev/vulnerability/GHSA-pfq8-rq6v-vf5m
- https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L294
- https://nvd.nist.gov/vuln/detail/CVE-2022-37620
- https://github.com/kangax/html-minifier/issues/1135
- https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338
- https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181
- https://github.com/kangax/html-minifier/issues/1135
What are Similar Vulnerabilities to CVE-2022-37620?
Similar Vulnerabilities: CVE-2023-38037 , CVE-2023-37903 , CVE-2023-34460 , CVE-2023-32697 , CVE-2023-30588
