parse-duration Event Loop Delay and Out-of-Memory Vulnerability

A denial-of-service vulnerability has been identified in the parse-duration npm package, affecting versions prior to 2.1.3. The issue arises from a regular expression in the duration parsing function, which can lead to significant event loop delays and memory exhaustion. When processing strings of varying lengths and compositions, the library can introduce delays of up to 50 milliseconds per operation. Furthermore, strings approximately 10 megabytes in size, particularly those with Unicode characters, can cause a Node.js application to crash by exceeding the JavaScript heap limit.

Impact

Exploitation of this vulnerability leads to a high availability impact, causing event loop delays and out-of-memory errors that can crash a running Node.js application.

Reproduction

The vulnerability can be reproduced by using the parse-duration library to parse strings that are carefully crafted to exploit the regular expression used for duration parsing. This can be done by generating strings that are several megabytes in size, particularly those that include Unicode characters, which will trigger the out-of-memory condition. Additionally, strings of around 3 to 4 megabytes can be used to create noticeable event loop delays, especially if sent in large volumes.

Remediation

Users can upgrade to parse-duration version 2.1.3 or later, where this vulnerability has been patched.