Skip to content

fix: prevent ReDoS in REGEX comparator (CWE-1333) and resource exhaustion in generatePermutations (CWE-770)#381

Open
absalonCRC wants to merge 2 commits into
vercel:mainfrom
absalonCRC:fix/redos-regex-and-resource-exhaustion
Open

fix: prevent ReDoS in REGEX comparator (CWE-1333) and resource exhaustion in generatePermutations (CWE-770)#381
absalonCRC wants to merge 2 commits into
vercel:mainfrom
absalonCRC:fix/redos-regex-and-resource-exhaustion

Conversation

@absalonCRC
Copy link
Copy Markdown

@absalonCRC absalonCRC commented May 12, 2026

Summary

Fixes two security vulnerabilities discovered during a code audit of the Vercel flags ecosystem.

1. ReDoS via Unrestricted Regex Pattern in Flag Evaluation (Medium Severity)

File: packages/vercel-flags-core/src/evaluate.ts (lines 303-321)

The REGEX and NOT_REGEX comparators construct new RegExp(rhs.pattern, rhs.flags) where the pattern comes from the flag definition datafile without ANY validation. A malicious or compromised flag definition could contain a catastrophic backtracking pattern like /(a+)+b/ that, when evaluated against a 10,000-character string, consumes CPU for seconds/minutes causing a denial of service.

The only existing protection was MAX_REGEX_INPUT_LENGTH = 10_000 which limits the INPUT string, not the regex pattern itself.

Fix:

  • Added MAX_REGEX_PATTERN_LENGTH = 500 to limit pattern length
  • Added isSafeRegexPattern() function that:
    • Rejects nested quantifier patterns (e.g., (a+)+b, (a*)*) — the primary ReDoS vector
    • Limits pattern nesting to 20 levels
    • Rejects patterns exceeding length limit
  • Applied isSafeRegexPattern() check in both REGEX and NOT_REGEX comparators

2. Exponential Resource Exhaustion in generatePermutations (Medium Severity)

File: packages/flags/src/next/precompute.ts (lines 190-225)

The generatePermutations() function computes the Cartesian product of all flag options without any limit. For example:

  • 10 flags with 3 options each = 59,049 permutations
  • 20 flags with 2 options each = 1,048,576 permutations

Each permutation is individually serialized and signed. This causes uncontrolled memory consumption and can crash the build process.

Fix:

  • Added MAX_PERMUTATIONS = 10_000 constant
  • Pre-calculates expected permutations before entering the Cartesian product loop
  • Throws a descriptive error with actionable guidance when the limit is exceeded

Verification

Both fixes are additive (add new checks before potentially dangerous operations) and do not change the behavior for flags with safe regex patterns or reasonable numbers of options.

No existing tests were modified — the changes only restrict previously unbounded operations.

Related

@cultofrozen
fix: prevent ReDoS in REGEX comparator and resource exhaustion in gen…
5737a93 
…eratePermutations

- Adds isSafeRegexPattern() to validate regex patterns before evaluation
  (prevents catastrophic backtracking via nested quantifiers)
- Limits pattern length to 500 chars and nesting depth to 20 levels
- Rejects patterns containing nested quantifiers (primary ReDoS vector)
- Adds MAX_PERMUTATIONS=10,000 limit to generatePermutations()
  (prevents exponential memory exhaustion from Cartesian product)

Security: LWHS-2026-001
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 12, 2026

@cultofrozen is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.

@absalonCRC
Copy link
Copy Markdown
Author

absalonCRC commented May 12, 2026

🔒 Security Note for Vercel Security Team

This PR fixes two security vulnerabilities discovered during a code audit:

  1. CWE-1333 (ReDoS): The REGEX comparator evaluates user-controlled regex patterns from flag definitions without validation, allowing catastrophic backtracking. A compromised flag definition could cause CPU DoS.

  2. CWE-770 (Resource Exhaustion): generatePermutations() computes the full Cartesian product of flag options without an upper bound, allowing memory exhaustion at build time.

These findings may be eligible for the Vercel Open Source Bug Bounty Program (HackerOne).

Please direct any questions to this PR thread or the associated advisory submission.

Ref: https://hackerone.com/vercel-open-source

@cultofrozen
fix: prevent JSON.parse resource exhaustion and Cartesian product ove…
22d9c25 
…rflow (SvelteKit)

- Adds 1 MB limit on valuesUint8Array before JSON.parse() in deserialization
  (prevents memory exhaustion from oversized JWE payloads)
- Adds MAX_PERMUTATIONS=10,000 limit to SvelteKit generatePermutations()
  (matching same fix applied to Next.js version in PR vercel#381)

Security: CWE-770 (Allocation Without Limits or Throttling)
@absalonCRC
Copy link
Copy Markdown
Author

absalonCRC commented May 12, 2026

@vercel/security This PR fixes 4 security vulnerabilities (ReDoS CWE-1333 + Resource Exhaustion CWE-770). Would appreciate a security team review when available. These findings may be eligible for the Vercel Open Source Bug Bounty program.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@absalonCRC @cultofrozen