Vue.js Vue-CLI Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Vue.js Vue-CLI versions through 5.0.8. This issue arises in the HtmlPwaPlugin component, specifically within the Markdown Code Handler. The vulnerability is caused by inefficient regular expression processing, which can be exploited by embedding maliciously crafted code blocks in parsed Markdown. This exploitation leads to excessive CPU consumption, causing application freezes or service disruptions. The vulnerability can be triggered remotely.

Impact

Exploitation of this vulnerability causes a regular expression denial-of-service, where the application experiences high CPU usage, potentially leading to a freeze or a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using Vue-CLI to create a project that includes the PWA plugin. Afterward, a Markdown file can be created that contains specially crafted code blocks designed to exploit the regular expression handling in the HtmlPwaPlugin. When this Markdown is processed, the application will experience increased CPU usage and may freeze or become unresponsive.

Remediation

Users are advised to update to Vue-CLI versions that have addressed this vulnerability. The specific version containing the fix should be checked in the official Vue-CLI repository.