We found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient to save from Regular Expression Denial of Service (ReDoS) attack.
This vulnerability affects to jsx-slack v4.5.1 and earlier versions.
Impact
If attacker can put a lot of JSX elements into <blockquote> tag with including multibyte characters, an internal regular expression for escaping characters may consume an excessive amount of computing resources.
/** @jsxImportSource jsx-slack */
import { Section } from 'jsx-slack'
console.log(
<Section>
<blockquote>
{[...Array(40)].map(() => (
<p>亜</p>
))}
</blockquote>
</Section>
)v4.5.1 has released by passing the test against ASCII characters but missed the case of multibyte characters.
GHSA-55xv-f85c-248q
Patches
jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in <blockquote> with multibyte characters.
References
Credits
Thanks to @hieki for finding out this vulnerability.
We found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient to save from Regular Expression Denial of Service (ReDoS) attack.
This vulnerability affects to jsx-slack v4.5.1 and earlier versions.
Impact
If attacker can put a lot of JSX elements into
<blockquote>tag with including multibyte characters, an internal regular expression for escaping characters may consume an excessive amount of computing resources.v4.5.1 has released by passing the test against ASCII characters but missed the case of multibyte characters.
GHSA-55xv-f85c-248q
Patches
jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in
<blockquote>with multibyte characters.References
Credits
Thanks to @hieki for finding out this vulnerability.