CVE-2023-26115
Regular Expression Denial of Service (ReDoS) vulnerability in word-wrap (npm)
What is CVE-2023-26115 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the `word-wrap` package due to an insecure regular expression. A specially crafted, lengthy input string can cause catastrophic backtracking, leading to resource exhaustion and a denial of service. It is easy to exploit by providing a malicious input to the vulnerable function.
Affected Software
Technical Details
All versions of the word-wrap package are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. This is caused by the inclusion of an insecure regular expression within the result variable in the package's code. When a specifically crafted and sufficiently long input string is processed by this regular expression, it triggers 'catastrophic backtracking,' where the regex engine expends an inordinate amount of computational resources evaluating matching permutations. This leads to a significant slowdown or complete unresponsiveness of the application, thereby causing a denial of service for legitimate users.
What is the Impact of CVE-2023-26115?
Successful exploitation may allow attackers to trigger a Denial of Service, causing applications to become unresponsive and affecting service availability.
What is the Exploitability of CVE-2023-26115?
Exploitation involves providing a specially crafted, lengthy input string to the word-wrap function. The complexity is low, as it's primarily about crafting a string that triggers the regex backtracking. No specific authentication or privilege requirements are needed beyond the ability to supply input to the function. This can be exploited remotely if an application processes untrusted user-supplied strings with the vulnerable word-wrap package. The likelihood of exploitation increases with the exposure of functionality that takes arbitrary text as input and feeds it to the word-wrap package.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26115?
About the Fix from Resolved Security
Available Upgrade Options
- word-wrap
- <1.2.4 → Upgrade to 1.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39
- https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4
- https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
- https://github.com/jonschlinkert/word-wrap
- https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39
What are Similar Vulnerabilities to CVE-2023-26115?
Similar Vulnerabilities: CVE-2023-26117 , CVE-2022-25916 , CVE-2021-23424 , CVE-2022-24754 , CVE-2021-3918
