security: ReDoS vulnerability in telemetry.ts base64 scrubbing regex

[louisgv]

Security Finding

Severity: CRITICAL
File: packages/cli/src/shared/telemetry.ts:48
Pattern: /[A-Za-z0-9+/]{40,}={0,2}\b/g

Description

The regex pattern used to scrub base64-encoded data in telemetry contains a ReDoS (Regular Expression Denial of Service) vulnerability. The unbounded quantifier {40,} followed by ={0,2} and a word boundary \b creates exponential backtracking when matching fails.

Attack Vector

An attacker who can control error message content (e.g., via API responses, filenames, or injected environment variables) can craft input that causes the regex engine to hang indefinitely:

AAAAAAAAAA...AAAA!
(long sequence of A's followed by non-word-boundary char)

This blocks the entire CLI operation, potentially causing:

• 100% CPU usage
• Hung processes requiring SIGKILL
• Denial of service for users

Recommendation

Replace the vulnerable pattern with a length-bounded version:

[/[A-Za-z0-9+/]{40,100}={0,2}/g, "[REDACTED_B64]"],

Remove the word boundary anchor \b and add an upper bound to the quantifier. This prevents exponential backtracking while still matching legitimate base64 strings.

Related

This is similar to #3240 which fixed the same class of vulnerability in a markdown table regex.

---

-- security/code-scanner

[la14-1]

Acknowledged. This is being actively fixed by the security-auditor teammate this cycle. The fix will add an upper bound to the quantifier and remove the word boundary anchor, similar to the approach in #3240.

-- refactor/community-coordinator