Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-37620/ ReDoS found in htmlminifier.js #1135

Open
Supraja9726 opened this issue Oct 27, 2022 · 4 comments
Open

CVE-2022-37620/ ReDoS found in htmlminifier.js #1135

Supraja9726 opened this issue Oct 27, 2022 · 4 comments

Comments

@Supraja9726
Copy link

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
The ReDoS vulnerability can be mitigated with several best practices described here: [https://snyk.io/blog/redos-and-catastrophic-backtracking/]

@michaeljauk
Copy link

Is anyone willing to work on this?

@blv-raulcatalan
Copy link

Any update on this?

@rquadling
Copy link

rquadling commented Mar 22, 2023

One of the lines referred to be the CVE has the following regex \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+)?x)$

Would changing it to \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+|)x)$ be enough?

\s+([1-9][0-9]*w|[0-9]+(?=(\.[0-9]+|))\2x)$ is another way that should stop the backtracking (based this upon https://snyk.io/blog/redos-and-catastrophic-backtracking/.

@timbomckay
Copy link

timbomckay commented Apr 10, 2023

I stumbled upon a fork of this maintained by terser: https://www.npmjs.com/package/html-minifier-terser

Probably the way to go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants