Calibre Web and Autocaliweb Catastrophic Backtracking Vulnerability in strip_whitespaces() Function

A regular expression denial-of-service (ReDoS) vulnerability has been identified in the strip_whitespaces() function of the string_helper.py file, within both Calibre Web version 0.6.24 (Nicolette) and Autocaliweb version 0.7.0. This vulnerability allows unauthenticated remote attackers to cause a denial of service by sending specially crafted usernames that trigger catastrophic backtracking during the login process. The issue is exacerbated by the fact that the username parameter is also used in the application's rate-limiting logic, making it possible to exploit the vulnerability without authentication.

Impact

Exploitation of this vulnerability leads to a significant denial-of-service condition, causing the server to hang for an extended period.

Reproduction

The vulnerability can be reproduced by sending a crafted username payload that exploits the regular expression used in the strip_whitespaces() function. This can be done by logging into the application with the malicious username, which will trigger the backtracking vulnerability and cause the server to become unresponsive. In the case of Autocaliweb, the same payload can be used to achieve the same denial-of-service effect.

Remediation

Users of Autocaliweb can update to version 0.7.1, which patches this vulnerability. For Calibre Web, there is currently no patch available.