Vercel Hyper Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Vercel Hyper versions through 3.4.1. The issue resides in the 'expand/braceExpand/ignoreMap' function of 'hyper/bin/rimraf-standalone.js', where certain regular expressions used for parsing glob patterns and comments are prone to catastrophic backtracking. This vulnerability allows for excessive CPU consumption, effectively causing a denial-of-service condition. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing excessive CPU usage and potentially causing the application to hang or become unresponsive.

Reproduction

The vulnerability can be reproduced by using crafted input strings that exploit the vulnerable regular expressions in 'rimraf-standalone.js'. For example, input strings that include long sequences of commas or braces can trigger the catastrophic backtracking in the regular expression matching, causing increased CPU consumption.

Remediation

Users are advised to update to the latest version of Vercel Hyper, where this vulnerability has been addressed. The specific regular expressions should be replaced with versions that use lookaheads to prevent catastrophic backtracking.