gorhill uBlock Origin Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in gorhill uBlock Origin versions through 1.63.3b16. The issue arises in the UI component, specifically within the 'currentStateChanged' function of 'src/js/1p-filters.js'. The vulnerability is caused by inefficient regular expression handling, which can be exploited remotely, leading to significant performance degradation and UI freezing.

Impact

Exploitation of this vulnerability causes the browser to become unresponsive, with the UI freezing for several seconds or longer, depending on the severity of the attack.

Reproduction

The vulnerability can be reproduced by injecting a payload of approximately 100,000 trailing spaces into the uBlock Origin editor. This can be done through the 'My filters' tab in the uBlock Origin dashboard, using the browser's DevTools Console or as a bookmarklet. The 'currentStateChanged' function can then be called, which will trigger the regular expression processing and cause the UI freeze.

Remediation

Users are advised to upgrade to uBlock Origin version 1.63.3b17, which addresses this vulnerability by replacing the problematic regular expression with a more efficient alternative.