CVE-2023-43646
Denial of Service vulnerability in get-func-name (npm)
What is CVE-2023-43646 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) due to excessive backtracking in a regex implementation. It allows attackers to trigger high CPU usage and significantly slow down or halt the service. The vulnerability is relatively easy to exploit with a specially crafted input.
Affected Software
Technical Details
The vulnerability arises from an inefficient regular expression, /\s*function(?:\s|\s*\/*[^(?:*/)]+\*/\s*)*([^\s(/]+)/, used for parsing values. When provided with an imbalanced parenthesis input, such as a long string of tab characters followed by '/function/i', the regex engine exhibits excessive backtracking. This leads to a catastrophic increase in processing time and CPU load, effectively causing a Denial of Service. The attack vector involves sending this malicious input to the regex parsing function.
What is the Impact of CVE-2023-43646?
Successful exploitation may allow attackers to degrade service performance, consume excessive system resources, and potentially render the affected service unavailable to legitimate users.
What is the Exploitability of CVE-2023-43646?
Exploitation requires crafting a specific malicious input string that triggers the excessive backtracking in the regex. The complexity is low, as the payload is a simple string. No authentication or elevated privileges are required, and the attack can be launched remotely by sending the crafted input. The primary risk factor is the public availability of the vulnerable regex and the ease of generating the malicious input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| 200101WhoAmI | Link | redos |
What are the Available Fixes for CVE-2023-43646?
About the Fix from Resolved Security
This patch limits the length of the function source code analyzed when extracting a function name to 512 characters, preventing excessive processing of unusually large function names. By enforcing this limit, it fixes CVE-2023-43646 by mitigating a potential Regular Expression Denial of Service (ReDoS) vector where an attacker could supply a maliciously long function name and exhaust resources.
Available Upgrade Options
- get-func-name
- <2.0.1 → Upgrade to 2.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-4q6p-r6v2-jvc5
- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
- https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15
- https://github.com/chaijs/get-func-name
- https://nvd.nist.gov/vuln/detail/CVE-2023-43646
- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
What are Similar Vulnerabilities to CVE-2023-43646?
Similar Vulnerabilities: CVE-2023-26116 , CVE-2023-38035 , CVE-2022-3786 , CVE-2022-2475 , CVE-2021-3918
