Enderfga Claw-Orchestrator Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Enderfga Claw-Orchestrator versions through 3.7.0. The issue arises in the Session Grep Endpoint, specifically within the validateRegex function in src/embedded-server.ts. The vulnerability allows for inefficient regular expression processing, where maliciously crafted patterns can cause catastrophic backtracking. This behavior blocks the Node.js event loop, leading to a complete server hang and unresponsiveness for all users. The vulnerability can be exploited remotely by sending a request to the /session/grep endpoint with a harmful regex pattern.

Impact

Exploitation of this vulnerability causes the Node.js server to hang, disrupting all incoming requests and making the server unresponsive to users.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /session/grep endpoint with a pattern that causes catastrophic backtracking, such as '(a+)+$'. This can be done using a tool like curl or Postman.

Remediation

Users are advised to upgrade to Enderga Claw-Orchestrator version 3.7.1 or later, where this vulnerability has been fixed.