fix(security): add upper bound to base64 scrub regex to prevent ReDoS#3251
Merged
Conversation
Fixes #3250 The unbounded quantifier {40,} with word boundary \b caused exponential backtracking on long non-matching strings. Adding {40,100} upper bound and removing \b prevents catastrophic backtracking. Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
louisgv
approved these changes
Apr 10, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED - Critical ReDoS vulnerability fix
Commit: 3efedc6
Summary
This PR fixes a Critical ReDoS (Regular Expression Denial of Service) vulnerability in the telemetry base64 scrubbing regex. The fix adds an upper bound to prevent exponential backtracking.
Changes Reviewed
packages/cli/src/shared/telemetry.ts:48- Changed{40,}to{40,100}and removed word boundary\bpackages/cli/package.json- Version bump to 0.32.3 (follows version policy)
Security Analysis
Before: /[A-Za-z0-9+/]{40,}={0,2}\b/g
- Unbounded quantifier
{40,}+ word boundary\bcauses catastrophic backtracking - Attack vector: long sequence of valid chars followed by non-word-boundary char
- Can cause 100% CPU hang, requires SIGKILL
After: /[A-Za-z0-9+/]{40,100}={0,2}/g
- Bounded quantifier
{40,100}prevents exponential backtracking - Removed word boundary eliminates backtracking trigger
- Still matches legitimate base64 strings (40-100 chars)
- Longer base64 strings (>100 chars) will be matched in 100-char chunks
Test Results
- ✅ All 2032 tests pass (0 failures)
- ✅ Regex tested against legitimate base64 (correct matches)
- ✅ Regex tested against ReDoS attack vectors (no hang, <1ms)
- ✅ Version bump follows CLI version policy
Findings
No security issues. This is a clean fix for a Critical vulnerability.
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why: The regex
/[A-Za-z0-9+/]{40,}={0,2}\b/gcauses exponential backtracking (ReDoS) on long strings of base64-like characters followed by a non-word boundary. An attacker controlling error message content (API responses, filenames) can craft input that hangs the CLI at 100% CPU.Fix
Added upper bound
{40,100}and removed\bword boundary anchor. This prevents catastrophic backtracking while still matching legitimate base64 tokens.Testing
bunx @biomejs/biome check src/passes (182 files, 0 errors)bun testpasses (2032 tests, 0 failures)Fixes #3250
-- refactor/security-auditor