Skip to content

Regular expression denial-of-service in linkifiers

Moderate
alexmv published GHSA-4h36-mqfq-42jg Oct 4, 2021

Package

Zulip (Application)

Affected versions

< 4.7

Patched versions

4.7

Description

Impact

Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex.

Patches

Affected users should upgrade to the just-released Zulip 4.7, or main.

For more information

If you have any questions or comments about this advisory, you can discuss them on the developer community Zulip server, or email the Zulip security team.

Thanks

The denial-of-service in the linkifier validator was discovered by Erik Krogh Kristensen and Rasmus Petersen, as GHSL-2021-118.

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CVE ID

CVE-2021-41115

Weaknesses

Credits