CVE-2022-37259

Vulnerability

Overview

The stealjs/steal module loader version 2.2.4 contains a Regular Expression Denial of Service (ReDoS) flaw in its ext/babel.js file. The vulnerability arises from a poorly crafted regular expression that processes the string variable, leading to catastrophic backtracking when a specially crafted input is provided [1][2].

Exploitation

Details

An attacker can exploit this vulnerability by supplying a malicious string that triggers the vulnerable regular expression, causing excessive CPU consumption. The attack does not require authentication if the attacker can control the input processed by babel.js. In typical usage, this would be triggered during module loading or build-time transformation, meaning any application using stealjs/steal to load and process untrusted module code could be affected [1][3].

Impact

Successful exploitation results in a denial of service condition, as the regular expression engine enters exponential backtracking, hanging the Node.js process or significantly degrading performance. This can render the application unresponsive, impacting availability [2].

Mitigation

As of the publication date, the vulnerability exists in stealjs/steal version 2.2.4. Users should review the upstream repository for patches or consider upgrading to a newer version if available [3]. The issue was reported on the project's GitHub issue tracker [1]; however, no official patch release has been confirmed in the advisory. Until a fix is applied, avoid processing untrusted input through the affected regular expression in babel.js.