Incorrect regular expression in papaparse

#VU74226 Incorrect regular expression in papaparse

Published: 2023-03-31

Vulnerability identifier: #VU74226

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-36649

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
papaparse
Web applications / JS libraries

Vendor: GabrielL

Description

The vulnerability allows a remote attacker to perform regular expression denial of service (ReDoS) attack.

The vulnerability exists due to usage of a very complex regular expression in papaparse.js. A remote attacker can pass specially crafted input to the application and consume extensive system resources, resulting in a denial of service condition.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

papaparse: 5.0.0 - 5.1.1

External links
http://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621
http://github.com/mholt/PapaParse/pull/779
http://github.com/mholt/PapaParse/issues/777
http://vuldb.com/?ctiid.218004
http://vuldb.com/?id.218004
http://github.com/mholt/PapaParse/releases/tag/5.2.0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in MediaWiki

Denial of service in PapaParse