GHSL-2020-291: Regular Expression Denial of Service (ReDoS) in CommonRegexJS

Vulnerability

Overview

CommonRegexJS, a JavaScript library for extracting common information patterns from strings, includes several regular expressions vulnerable to Regular Expression Denial of Service (ReDoS) [1][2]. The root cause is poorly constructed regex patterns that allow exponential backtracking (O(2^n) runtime) when processing specially crafted input strings [2]. This occurs due to ambiguity or overlapping clauses within the regular expressions, making them extremely inefficient for particular inputs [2].

Exploitation

Path

An attacker can exploit this vulnerability by submitting a maliciously crafted input string to any application that uses CommonRegexJS to process untrusted user data [2]. Since CommonRegexJS is designed as an input validation library, it is likely used server-side to parse or sanitize user-supplied text, providing a direct attack surface [2][3]. No authentication or elevated privileges are required; the attacker only needs the ability to send text data to a service employing the library [2].

Impact

Successful exploitation causes the server to consume excessive CPU resources while the regex engine attempts to match the crafted input, leading to a denial of service [2]. This can degrade or halt application responsiveness, potentially affecting all users of the service [1][2]. The vulnerability is a pure availability concern; no data confidentiality or integrity is compromised [1].

Mitigation

Status

At the time of publication, no patches are available for CommonRegexJS [1]. The GitHub Security Lab reported the issue on November 30, 2020, but the disclosure timeline expired without a security fix or confirmed contact from the maintainer [2][4]. The latest commit on the repository remains unpatched [2][3]. Users are advised to replace the library with a safer alternative or implement input sanitization and strict length limits as temporary workarounds until a fix is released [2].