CVE-2023-25166
Denial of Service vulnerability in formula (npm)
What is CVE-2023-25166 About?
This is a Denial of Service vulnerability in formula's parser, where user-provided strings can lead to polynomial execution time. Attackers can craft specific inputs that cause excessive resource consumption, rendering the application unresponsive. Exploitation is straightforward for an attacker who can provide malicious input to the parser.
Affected Software
Technical Details
The vulnerability in formula's parser (prior to version 3.0.1) is a Denial of Service due to a polynomial execution time when processing certain user-provided strings. This typically occurs in parsers when dealing with input that can trigger a 'catastrophic backtracking' behavior in regular expressions, or when parsing certain nested structures without proper limits. An attacker can craft a specific, complex string that, when fed to the parser, causes the parsing algorithm to take a time complexity proportional to N^k (where N is the input length and k > 1). This excessive computational load consumes CPU resources, eventually making the application unresponsive and leading to a denial of service.
What is the Impact of CVE-2023-25166?
Successful exploitation may allow attackers to consume excessive CPU resources through specially crafted inputs, leading to a denial of service and making the application unresponsive.
What is the Exploitability of CVE-2023-25166?
Exploitation of this vulnerability involves supplying a specially crafted string to the affected parser in formula. The complexity is low to moderate, requiring knowledge of the parser's behavior to create an input that triggers the polynomial execution time. Authentication requirements depend on whether the formula parsing endpoint is accessible to unauthenticated users. If so, no authentication is needed. Privilege requirements are none. This is typically a remote vulnerability if the input can be submitted over a network, such as through a web form or API endpoint. There are no specific special conditions other than the input reaching the parser. The primary risk factor is the application's exposure of a formula parsing function to untrusted users without input length limits or timeout mechanisms.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-25166?
Available Upgrade Options
- @sideway/formula
- <3.0.1 → Upgrade to 3.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-25166
- https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe
- https://osv.dev/vulnerability/GHSA-c2jc-4fpr-4vhg
- https://github.com/hapijs/formula
- https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg
- https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe
- https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg
What are Similar Vulnerabilities to CVE-2023-25166?
Similar Vulnerabilities: CVE-2020-13692 , CVE-2021-23366 , CVE-2020-7661 , CVE-2020-15250 , CVE-2021-23381
