Lunary Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the Lunary AI repository, specifically in the 'compileTextTemplate' function of the backend package. This vulnerability affects version 'git be54057'. The issue arises from the regular expression '/{{(.*?)}}/g', which is vulnerable to catastrophic backtracking. An attacker can exploit this by crafting input with a high density of braces, leading to excessive backtracking, causing the server to hang indefinitely and become unresponsive to requests. This behavior has been confirmed through testing, where the server's response time increased exponentially with the number of braces, eventually leading to a complete hang.

Impact

Exploitation of this vulnerability causes the server to hang indefinitely, becoming unresponsive to any requests.

Reproduction

The vulnerability can be reproduced by sending a request that includes a dataset prompt with a large number of nested braces. This can be done by creating a dataset through the application's API, then uploading a prompt that contains an excessive amount of braces. Once the prompt is processed, the server will hang and fail to respond to any further requests.

Remediation

Users can update to Lunary version 1.4.23 or later, where this vulnerability has been fixed.