Impact
Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex.
Patches
Affected users should upgrade to the just-released Zulip 4.7, or main.
For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.
Thanks
The denial-of-service in the linkifier validator was discovered by Erik Krogh Kristensen and Rasmus Petersen, as GHSL-2021-118.
Impact
Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex.
Patches
Affected users should upgrade to the just-released Zulip 4.7, or
main.For more information
If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.
Thanks
The denial-of-service in the linkifier validator was discovered by Erik Krogh Kristensen and Rasmus Petersen, as GHSL-2021-118.