CVE-2022-37262

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in stealjs/steal version 2.2.4. The issue is located in the source and sourceWithComments variables within the main.js file, where regex patterns are susceptible to catastrophic backtracking [1][4]. This flaw allows an attacker to cause the application to consume excessive computational resources by providing specially crafted input.

Exploitation of this vulnerability does not require authentication; an attacker can trigger the ReDoS by submitting a malicious string to the affected variable. Since the regex is applied to user-controlled input, even a single request can cause the CPU to spike, leading to a denial of service condition [2].

The impact of successful exploitation is significant: the application may become unresponsive, affecting availability for legitimate users. This is particularly concerning for services that rely on stealjs for module loading in production environments.

As of the disclosure, the vulnerability affects stealjs/steal 2.2.4. Users are advised to update to a patched version if available. The issue was reported via the project's GitHub repository, and further details can be found in the linked advisory [1].