CVE-2023-26115 - How a Simple Regex in word-wrap Brings Down Your Node.js App (with Exploit)

Regular expressions can be your best friend, but in the wrong place, they become your worst enemy. CVE-2023-26115 shows exactly why, affecting all versions of the popular word-wrap package in the Node.js world – just by processing certain long input strings, an attacker can choke your server. Let’s break down how it works, where to find the details, and how to test for yourself (with code!).

What Is word-wrap and Why Does It Matter?

word-wrap is a small but widely used library that breaks strings into lines of a given width by inserting line breaks at word boundaries. Many projects use it – sometimes even without realizing, as a hidden dependency.

A Regular Expression Denial of Service (ReDoS) vulnerability can turn this harmless function into an attack avenue. That's exactly what CVE-2023-26115 is about.

The Vulnerability Explained (In Plain English)

When you use word-wrap, deep inside it uses this unsafe regular expression to find the next "wrappable" spot:

var match = result.match(/(\S+\s*)/g)

If you pass a very, very long string of non-whitespace characters (no spaces for it to break!), the regular expression engine will spend forever trying to find matches—a textbook case of catastrophic backtracking. Under load or with malicious input, your server slows to a crawl or even crashes.

Here’s a minimal Node.js script you can use to see the issue locally

const wrap = require('word-wrap');

const longInput = 'A'.repeat(100_000); // 100,000 'A's in a row

console.time('wrap');
try {
  wrap(longInput, { width: 20 });
} catch (e) {
  console.log("Caught error:", e);
}
console.timeEnd('wrap');

What happens?
You’ll see wrap takes several seconds, possibly freezing or crashing if the string is long enough. Change the input to even longer and watch the delay multiply. On a real server, this becomes a denial of service.

Real-World Attack Scenario

Imagine a public web server that pretty-prints user-submitted text using word-wrap before sending it in HTML, an email, a report, a log, etc. An attacker submits a huge line—no spaces. Suddenly, your server memory and CPU are maxed out processing that single input. Legitimate traffic gets ignored!

Solution & Mitigation

Upgrade to word-wrap >= 1.2.4.
The security advisory and patch replaced the problematic regex. If updating is impossible, sanitize or limit input length and reject overly long tokens with no whitespace.

References and Further Reading

- Original NVD Entry – CVE-2023-26115
- GitHub Advisory Database
- Fixed in word-wrap@1.2.4
- How Regular Expression Denial of Service Works (OWASP)

Final Words

CVE-2023-26115 is a textbook lesson in how a tiny regular expression bug in a helper package can pose a real threat. If your project (or any of your dependencies!) uses word-wrap, upgrade today.

Timeline

Published on: 06/22/2023 05:15:00 UTC
Last modified on: 08/24/2023 16:15:00 UTC