Skip to content

[GHSA-f522-ffg8-j8r6] Regular Expression Denial of Service in is-my-json-valid#4850

Closed
matsumokei wants to merge 1 commit into
github:matsumokei/advisory-improvement-4850from
matsumokei:matsumokei-GHSA-f522-ffg8-j8r6
Closed

[GHSA-f522-ffg8-j8r6] Regular Expression Denial of Service in is-my-json-valid#4850
matsumokei wants to merge 1 commit into
github:matsumokei/advisory-improvement-4850from
matsumokei:matsumokei-GHSA-f522-ffg8-j8r6

Conversation

@matsumokei

@matsumokei matsumokei commented Sep 29, 2024

Copy link
Copy Markdown

Updates

  • Details
  • Affected version range
  • Fixed version

Comments

This GHSA-ID corresponds to NSWG-ECO-76.
When I compare it with NSWG-ECO-76, the details, affected version range, and fixed version appear to be incorrect.

@github-actions github-actions Bot changed the base branch from main to matsumokei/advisory-improvement-4850 September 29, 2024 05:37
@darakian

darakian commented Sep 30, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

Hi @matsumokei, thanks for the PR, but it looks to me like the fix got merged into the 2.17.2 tag.
mafintosh/is-my-json-valid@767c6c0
https://hackerone.com/reports/317548

I can't find anything for version1.4.1 so perhaps that is incorrect, but where does 2.12.4 come from?

@matsumokei

matsumokei commented Oct 1, 2024

Copy link
Copy Markdown
Author

@darakian Thank you for your comment.

Where does 2.12.4 come from?

From the references of GHSA-f522-ffg8-j8r6, it corresponds to NSWG-ECO-76 and CVE-2016-2537.

When I look at
https://github.com/nodejs/security-wg/blob/26cf94dd6bd22393449e1fbf2dcf975fd71cb82c/vuln/npm/76.json#L16C3-L16C37 and https://nvd.nist.gov/vuln/detail/CVE-2016-2537, I can find the following descriptions.

NSWG-ECO-76

"vulnerable_versions": "<=2.12.3",
 "patched_versions": ">=2.12.4",

and
CVE-2016-2537

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

GHSA-4hpf-3wq7-5rpr VS GHSA-f522-ffg8-j8r6

The is-my-json-valid package also has GHSA-4hpf-3wq7-5rpr.
GHSA-4hpf-3wq7-5rpr and GHSA-f522-ffg8-j8r6 are similar, but they were reported at different times.
I'm confused because I can't tell the difference between GHSA-4hpf-3wq7-5rpr and GHSA-f522-ffg8-j8r6.

@darakian

darakian commented Oct 1, 2024

Copy link
Copy Markdown
Contributor

This may have been one that we corrected based on the evidence at hand. I can see how the description would lead you to your conclusion, but looking at the actual code change and the tags associated I think the description might be a typo. Perhaps it might be worth raising this with the node security working group?

@matsumokei

matsumokei commented Oct 2, 2024
edited
Loading

Copy link
Copy Markdown
Author

I'll raise an issue with the node security working group.
When I have finished investigating the vulnerabilities of the is-my-json-valid and find something, I may send the PR.
I'll close the PR.
Thanks for discussing with me.

@matsumokei matsumokei closed this Oct 2, 2024
@matsumokei matsumokei deleted the matsumokei-GHSA-f522-ffg8-j8r6 branch October 2, 2024 05:10
@darakian

darakian commented Oct 2, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

Happy to have the conversation and thank you again for effort :)
I'll go ahead and update this advisory to drop the 1.4.1 version as a fix given the lack of evidence and extend the >= 2.0.0, < 2.17.2 range to < 2.17.2.

Let me know how your investigation goes and feel free to follow up in this thread if you feel like the results don't warrant a new PR. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matsumokei @darakian