High severityNVD Advisory· Published Jan 7, 2023· Updated Aug 3, 2024
cronvel terminal-kit redos
CVE-2021-4306
Description
A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 is able to address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
terminal-kitnpm | < 2.1.8 | 2.1.8 |
Affected products
1- Range: 2.1.0
Patches
1a2e446cc3927Fix a possible ReDoS
6 files changed · +26 −6
browser/termkit.js+4 −2 modified@@ -19123,9 +19123,11 @@ misc.truncateString = ( str , maxWidth ) => { -// width of a string with a markup, without control chars +// Width of a string with a markup, without control chars misc.markupWidth = str => { - return string.unicode.width( str.replace( /\^\[[^\]]*]|\^(.)/g , ( match , second ) => { + // Fix a possible ReDoS, the regex: /\^\[[^\]]*]|\^(.)/g was replaced by: /\^\[[^^[\]]*]|\^(.)/g + // The exploit was possible with a string like: '^['.repeat(bigNumber) + return string.unicode.width( str.replace( /\^\[[^^[\]]*]|\^(.)/g , ( match , second ) => { if ( second === ' ' || second === '^' ) { return second ; }
browser/termkit.min.js+1 −1 modifiedCHANGELOG+6 −0 modified@@ -1,4 +1,10 @@ +v2.1.8 +------ + +Fix a possible ReDoS + + v2.1.7 ------
lib/misc.js+4 −2 modified@@ -180,9 +180,11 @@ misc.truncateString = ( str , maxWidth ) => { -// width of a string with a markup, without control chars +// Width of a string with a markup, without control chars misc.markupWidth = str => { - return string.unicode.width( str.replace( /\^\[[^\]]*]|\^(.)/g , ( match , second ) => { + // Fix a possible ReDoS, the regex: /\^\[[^\]]*]|\^(.)/g was replaced by: /\^\[[^^[\]]*]|\^(.)/g + // The exploit was possible with a string like: '^['.repeat(bigNumber) + return string.unicode.width( str.replace( /\^\[[^^[\]]*]|\^(.)/g , ( match , second ) => { if ( second === ' ' || second === '^' ) { return second ; }
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "terminal-kit", - "version": "2.1.7", + "version": "2.1.8", "description": "256 colors, keys and mouse, input field, progress bars, screen buffer (including 32-bit composition and image loading), text buffer, and many more... Whether you just need colors and styles, build a simple interactive command line tool or a complexe terminal app: this is the absolute terminal lib for Node.js!", "main": "lib/termkit.js", "directories": {
SECURITY.md+10 −0 added@@ -0,0 +1,10 @@ + +## Reporting a Vulnerability + +If you think you have found a vulnerability, _please report responsibly_. +Don't create GitHub issues for security issues. +Instead, send an email to cedric dot ronvel at gmail dot com and I will look into it as soon as possible. + +**A note for bounty hunters:** I should mention that I *usually* prefer to fix security issues by myself, +because it could involve rethinking API or fixing it / working around it in a way only an official maintainer can do it. +I want to avoid people getting frustrated: **don't work on a fix before getting in touch with me**.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/cronvel/terminal-kit/commit/a2e446cc3927b559d0281683feb9b821e83b758cghsapatchWEB
- github.com/cronvel/terminal-kit/releases/tag/v2.1.8ghsapatchWEB
- github.com/advisories/GHSA-wxgh-8gmr-3qh3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4306ghsaADVISORY
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.