A critical vulnerability - CVE-2022-37620 - has been identified in the popular kangax html-minifier library (version 4..), which exposes a tree of dependencies to a Regular Expression Denial of Service (ReDoS) attack. The vulnerability lies in the way regular expressions are processed inside htmlminifier.js. This blog post takes an in-depth look at this vulnerability, its effects, and possible solutions to mitigate the risk associated with it.

The Vulnerability: ReDoS

To understand the vulnerability and its impact, it's essential to know what ReDoS is. In simple terms, ReDoS is a type of resource consumption attack that targets vulnerable regular expressions within the application code. These vulnerable regex patterns, when matched against crafted input, can cause the application to perform an excessive amount of backtracking, leading to extremely long processing times or even blocking the application's processing entirely.

The specific vulnerability (CVE-2022-37620) exists within the htmlminifier.js file in the kangax html-minifier 4.. library. The vulnerable regex is used in a candidate variable, which can be exploited by an attacker to induce a ReDoS.

Match candidate regex:
candidate = input.match(/^\s*(\/\*<!\CDATA\[\*\/\s*|\s*\/\*\s*&lt;!\[CDATA\[\s*\*\/)/);

Exploit

To exploit this vulnerability, an attacker can craft input that takes advantage of the vulnerable regex pattern and overwhelms the application's processing capabilities. Here's an example of a crafted input that can trigger the vulnerability:

Input: let input = "/**&lt;![CDATA[*/////////////////////////"; Crafting: As the regex pattern attempts to match the input containing multiple '/' characters, it keeps backtracking and takes a significant amount of time to complete the matching process.

Impact

The primary impact of this vulnerability is the potential degradation of an application's performance or blocking the processing altogether, depending on the resources consumed during the regex matching process. An attacker can exploit this vulnerability to cause a DoS attack, leading to service unavailability and affecting many users.

Mitigation

As a temporary workaround, it's possible to remove or modify the vulnerable regex inside the kangax html-minifier library, but doing so might break the existing functionality of the library, as it may lead to false positives or negatives.

The best solution is to upgrade to the latest version of the kangax html-minifier library that fixes this specific CVE. Unfortunately, at the time of writing, no fixed version is available, and the library has not been updated since July 12th, 2019.

Another option is to search for alternative libraries that perform similar html-minification functions, but without the ReDoS vulnerability. Always ensure you are using the most up-to-date and secure version of your chosen library.

It is important to stay informed of any updates released for this library, especially patches that might resolve this vulnerability. Follow these links for the original references and keep an eye on upcoming changes:

- [CVE-2022-37620 - NVD
- kangax/html-minifier GitHub Repository

Conclusion

This blog post has provided an in-depth examination of CVE-2022-37620 - a ReDoS vulnerability present in the kangax/html-minifier library. Understanding the risks associated with third-party libraries is crucial for maintaining a secure application environment. Developers must stay vigilant and up-to-date with security patches, and consider switching to alternative libraries if necessary to ensure the safety of their projects.

Timeline

Published on: 10/31/2022 12:15:00 UTC
Last modified on: 11/01/2022 17:59:00 UTC