The fast-xml-parser is an open source, pure JavaScript XML parser capable of providing several advantages to developers and users alike. However, it was recently discovered that before version 4.4.1, a Regular Expression Denial of Service (ReDOS) vulnerability exists in the currency.js file of the package. In this post, we'll dive deep into the details of the vulnerability, CVE-2024-41818, by examining the code snippet, providing links to original references, and explaining the exploitation and mitigation techniques for developers and users of the fast-xml-parser.

Details of the ReDOS Vulnerability

The vulnerability exists in the "currency.js" file of the fast-xml-parser, allowing a malicious attacker to cause a denial-of-service attack by constructing a specially crafted XML document. This XML document, when parsed by the fast-xml-parser, would cause the regex engine to have an exponential increase in processing time, thus consuming resources and preventing the system from responding to legitimate requests.

Let's take a look at the code snippet where this issue exists

const currencyRegex = /^(\d+(\.\d{1,10})?)\s*([A-Z]{2,3})$/;

This regex is used to check whether the input string matches the format of a currency value. The capture group for decimal places allows for 1 to 10 digits, which could cause the ReDOS.

1. NPM Advisory - https://www.npmjs.com/advisories/1668
2. GitHub Pull Request - https://github.com/NaturalIntelligence/fast-xml-parser/pull/315
3. GitHub Commit - https://github.com/NaturalIntelligence/fast-xml-parser/commit/fe20e58a92156b10ab8bad7f39d7f305e236dda7

Exploit

In order to exploit this vulnerability, an attacker must successfully send a malicious payload to the target service or application. This payload would be a specially crafted XML document:

<?xml version="1." encoding="UTF-8"?>
<root>
<item price="1.1111111111AAAAAAAAAA"/> // Repeated for a large number of times
</root>

In this example, a large number of <item> elements with the price attribute containing a value that matches the vulnerable regex pattern are created. When the fast-xml-parser tries to parse this XML document, the regex engine could be stuck in a long processing loop, rendering the application unresponsive.

Mitigation and Recommendations

The fast-xml-parser team has already remedied this issue by releasing version 4.4.1, which includes a fix for this ReDOS vulnerability. It is highly recommended that all developers and users of the package update to version 4.4.1 or higher.

To update the package, use the following npm command

npm install fast-xml-parser@^4.4.1

Additionally, it is crucial for developers to validate and sanitize user-generated input to minimize security risks.

Conclusion

CVE-2024-41818 revealed a critical ReDOS vulnerability in the fast-xml-parser package. Updating to version 4.4.1 effectively mitigates this vulnerability and prevents potential denial-of-service attacks. For security best practices, always keep your packages up-to-date and properly sanitized when processing user input.

Timeline

Published on: 07/29/2024 16:15:05 UTC
Last modified on: 09/11/2024 16:09:46 UTC