ProtonMail Web Client Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the ProtonMail Web Client, specifically in versions prior to 3.16.60. This vulnerability arises from a regular expression that can be exploited to cause exponential backtracking, leading to a significant performance degradation. The issue occurs in the Autocrypt public key extraction process, where the regular expression improperly handles certain input patterns, allowing for crafted strings to disrupt normal operation.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, where the application becomes unresponsive or significantly slower due to the inefficient processing of regular expressions.

Reproduction

The vulnerability can be reproduced by using a specially crafted string that exploits the regular expression used to parse Autocrypt headers. This can be done by sending an email that includes an Autocrypt header with a 'keydata' attribute containing a base64-encoded string. The ProtonMail Web Client will then decode this header, triggering the regular expression denial-of-service vulnerability.

Remediation

Users can update to ProtonMail Web Client version 3.16.60 or later to address this vulnerability.