Inefficient Regular Expression Complexity vulnerability pending CVSS allocation

[AddictArts]

Dependency npm:debug:4.3.4 is vulnerable Cx8bc4df28-fcf5 7.5 Inefficient Regular Expression Complexity vulnerability pending CVSS allocation Results powered by Checkmarx(c)

Is this being looked into or resolved?

[Qix-]

I have no idea what you're referring to. Please give me some more information. There have been a few ReDos vulnerabilities found that have taken one of two outcomes: a CVE has been allocated, or a CVE has been explicitly blocked and the researcher was asked not to take it further because the surface area was negligible except under the most egregious, irresponsible uses of the library.

For example, in one case, you would have had to have passed long, unsanitized user input into the namespace parameter of the debug() builder in order to be affected. As this is a bizarre, unusual, unsupported, discouraged and undocumented use case, a CVE was not allocated.

It's the same thing as when we received a "vulnerability" report in chalk that stated that input that had malicious escape sequences were re-emitted by chalk and that they wanted a CVE and monetary compensation for reporting said vulnerability. Some of the reports we receive are ridiculous and thus I tend to request they cease with the CVE process because you'd have to go out of your way to make your software vulnerable. Further, "researchers" tend to take these CVEs and allocate the highest possible score to them in order to get higher payouts on e.g. https://huntr.dev, along with reporting them piecemeal so that they can register multiple CVEs, etc.

At this point, ReDos reports against this package are being considered spam and I've been reporting them to Huntr in most cases when they come through. I'm not sure where you're seeing this information but I doubt whatever "report" you're seeing actually affects you.

[Qix-]

To be abundantly clear, there has never been a reported ReDos attack using debug as a vector in the 10+ years this package has existed across the billions of downloads this package receives per-annum, because consumers of this library would have to be doing some pretty blatantly reckless stuff in order for it to be attacked.

Whatever report you're seeing there has not been responsibly reported to me at all. I'm unaware of any pending security report against that version of debug.

[AddictArts]

I'm using JetBrains tools, specifically WebStrom, but it should be any of them. The reason for mentioning it here was that I did not find it listed in any way. Also, others may ask, so hopefully this helps asking the same question or multiple reports.

This is the link it takes you too
https://devhub.checkmarx.com/cve-details/Cx8bc4df28-fcf5/

CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential
worst-case computational complexity that consumes excessive CPU cycles.

I'm not saying it is an issue. I hope this helps.

Summary
In NPM `debug`, the `enable` function accepts a regular expression from user input without escaping it.
Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser,
otherwise known as a ReDoS (Regular Expression Denial of Service).
This is a different issue than CVE-2017-16137.

So, it looks like considered spam. Maybe put this up front, pin it, or add to the README so others won't ask.

[Qix-]

Closing as a dupe of #924 (aware it was posted after this issue, however it has more details and a linked investigation with more pertinent information about the filing).

Thanks for bringing this to my attention.