CVE-2021-45470

Vulnerability

cve-search up to version 4.0 included a regular expression injection vulnerability in the cvesForCPE function within lib/DatabaseLayer.py (line 241). The code directly interpolated user-controlled cpe_regex into a regex pattern without escaping, allowing an attacker to inject regex metacharacters. This affects all versions before 4.1.0, where the fix was applied [1][2].

Exploitation

An attacker with network access to the application's CPE search interface can supply a crafted CPE pattern containing regex metacharacters. No authentication is required if the search endpoint is publicly accessible. By injecting a pattern such as (?:a+)+ the attacker can trigger catastrophic backtracking, leading to ReDoS (Regular expression Denial of Service) [1][2].

Impact

Successful exploitation causes the application to consume excessive CPU time handling the crafted regex, potentially leading to denial of service. In extreme cases, the regex injection might also allow bypassing intended filtering logic, though the primary vector is ReDoS. The fix in version 4.1.0 escapes the input using re.escape() to prevent injection [3].

Mitigation

Version 4.1.0, released on 2021-12-23, remediates the issue by escaping the cpe_regex with re.escape() before compilation [1][2][3]. Users still on a previous version should upgrade immediately. If upgrading is not possible, the vulnerable line can be manually patched to use re.escape(). No other workarounds are documented.