CVE-2024-9506
Regular Expression Denial of Service (ReDoS) vulnerability in vue (npm)

Regular Expression Denial of Service (ReDoS) Proof of concept

What is CVE-2024-9506 About?

This vulnerability, a Regular Expression Denial of Service (ReDoS), can be exploited through the `parseHTML` function in the `html-parser.ts` file in Vue applications. Specially crafted input can cause inefficient processing of regular expressions, leading to excessive resource consumption and slowing down the application. Exploiting this vulnerability is straightforward for an attacker who can provide malicious input.

Affected Software

vue >2.0.0-alpha.1, <3.0.0-alpha.0

Technical Details

The ReDoS vulnerability is present in the parseHTML function within the html-parser.ts file. When this function processes a specially crafted HTML string, particularly one with an incorrectly closed <script> tag like </textarea>, it triggers inefficient regular expression processing. The regex engine, encountering a large number of repeating characters (e.g., \u003C.repeat(1000000)`), enters a state of exponential backtracking, leading to excessive CPU and memory consumption. This prolonged processing time results in the application becoming unresponsive, causing a denial of service. The provided PoC demonstrates this by embedding a large, malformed script tag in a Vue component template, significantly delaying the application's mounting process.

What is the Impact of CVE-2024-9506?

Successful exploitation may allow attackers to cause a denial of service, leading to application unresponsiveness, excessive resource consumption, and degradation of user experience.

What is the Exploitability of CVE-2024-9506?

Exploitation involves providing a specially crafted input string (e.g., an HTML template with a malformed script tag) that the parseHTML function will process. The complexity is low, as demonstrated by the provided JavaScript example. No authentication is required, and access to an application interface that processes untrusted HTML templates (e.g., user-supplied content rendered by a Vue application) is sufficient. This can be a remote attack if the application accepts and renders user-controlled HTML. The primary risk factor is applications that do not sanitize or validate user-supplied HTML content before passing it to the vulnerable parseHTML function.

What are the Known Public Exploits?

PoC Author Link Commentary
bio Link Patched Vue 2.7.16 template compiler with fixes for CVE‑2024‑6783 and CVE-2024-9506

What are the Available Fixes for CVE-2024-9506?

Available Upgrade Options

  • vue
    • >2.0.0-alpha.1, <3.0.0-alpha.0 → Upgrade to 3.0.0-alpha.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-9506?

Similar Vulnerabilities: CVE-2025-2099 , CVE-2023-37270 , CVE-2023-36665 , CVE-2022-25916 , CVE-2021-39141

All Rights reserved 2025
Privacy Policy