Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🚧Redos vulnerability in Wordwrap #8653

Closed
raghunandhanvr opened this issue May 4, 2023 · 3 comments
Closed

🚧Redos vulnerability in Wordwrap #8653

raghunandhanvr opened this issue May 4, 2023 · 3 comments
Milestone

Comments

@raghunandhanvr
Copy link

Dear cal.com team,

I am writing to inform you of a vulnerability in the Wordwrap package (version 1.0.0) that is used by your website/service. This vulnerability can be exploited through a regular expression Denial of Service (ReDoS) attack, which can cause the package to enter an infinite loop, leading to a denial of service on the affected system.

The vulnerability affects all versions of the Wordwrap package up to and including version 1.0.0, and unfortunately, there is currently no known fix for the issue. I have included a proof-of-concept code snippet below that demonstrates the vulnerability in action:

for (let i = 0; i <= 10; i++) {
  const attack = "a" + "t".repeat(i * 10_00000);
  const start = performance.now();
  wrap( attack, { trim: true }, );
  console.log(`${attack.length} characters: ${performance.now() - start}ms`);
}

As you can see, this code snippet can cause the Wordwrap package to enter an infinite loop when provided with a specially crafted input string, resulting in a significant delay in processing time and potentially leading to a denial of service.

I urge you to take immediate action to address this vulnerability by either updating to a patched version of the Wordwrap package (if and when one becomes available), or by finding an alternative package that is not vulnerable to this issue.

Thank you for your attention to this matter. Please let me know if you require any additional information or assistance in addressing this vulnerability with respect to cal platform.

Reference: https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973

@maige-app maige-app bot added the 🐛 bug Something isn't working label May 4, 2023
@pranjalg13
Copy link
Contributor

@raghunandhanvr I didn't find any code usage with this dependency, let me know if you found one.
Thanks

@PeerRich
Copy link
Member

@raghunandhanvr how would this be fixed?

@PeerRich PeerRich added this to the v.3.0 milestone May 14, 2023
@emrysal
Copy link
Contributor

emrysal commented May 14, 2023

Thank you @raghunandhanvr - we're keeping an eye out on jonschlinkert/word-wrap#32 - our internal assessment is: Because this code is used only by eslint and this being a dev only package, there is no public facing code that will be affected by this vulnerability. Also as indicated by the optionator package - this vulnerability does not affect their code.

Therefore, no mitigation is needed as we are not affected by this vulnerability.

Also including the eslint assesment @ eslint/eslint#17117 (comment) for completeness.

This is a problem in a transitive dependency so it doesn't seem like there's anything we can do at this point. Also, according to gkz/optionator#44 (comment) this isn't a possible problem for eslint users because the dependency in question is only used with predefined option descriptions, not with user input.

Given the above, I'm closing this issue. If and when the problem is fixed in the dependencies, we could update eslint's package.json if that would help remove the warning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants