Chinese-Poetry Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Chinese-Poetry version 0.1. The issue arises in the file rank/server.js, where a regular expression used to remove <script> and <style> tags can be exploited with a carefully crafted input. This exploitation causes catastrophic backtracking, leading to excessive CPU usage and blocking the Node.js event loop, which results in a denial-of-service condition. The vulnerability can be triggered remotely.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by introducing catastrophic backtracking in the regular expression processing. This backtracking can be manipulated to consume excessive CPU resources, effectively freezing the Node.js event loop and causing service interruptions.

Reproduction

The vulnerability can be reproduced by sending a request with a body that includes a string containing a large number of partial <style> or <script> opening tags, without corresponding closing tags. This can be done by repeating the opening tags approximately 100,000 times. The vulnerable application will hang for a long time as it processes the input, demonstrating the denial-of-service condition.

Remediation

To address this vulnerability, the regular expression should be modified to prevent catastrophic backtracking. The proposed fix involves using a negative lookahead to make the pattern more specific, ensuring that the regex engine does not match past the intended closing tags. The updated regex can be applied in place of the original one.