Denosaurs emoji has ReDoS vulnerability in `replace` function

Vulnerability

The Denosaurs emoji package versions 0.1.0 up to (but not including) 0.3.0 contain a Regular Expression Denial of Service (ReDoS) vulnerability. The reTrimSpace regex exhibits 2nd-degree polynomial inefficiency, meaning that processing a specially crafted input string can cause the regex engine to take exponentially longer with increasing payload size [2]. The affected code path is reached through the replace, unemojify, or strip functions [1].

Exploitation

An attacker can provide a large, carefully crafted input string to one of the exposed functions (replace, unemojify, or strip). No special authentication or user interaction beyond invoking the vulnerable function is required; the attack is purely input-driven. The regex engine will enter a backtracking loop that results in a delayed response proportional to the square of the input length [2].

Impact

Successful exploitation leads to a denial of service (degraded availability) by causing the application to consume excessive CPU time or blocking the event loop. The attacker does not gain any ability to read, modify, or delete data; the impact is limited to availability [2].

Mitigation

The vulnerability is fixed in version 0.3.0, which removes the reTrimSpace regex in favor of the native trim() method [1]. Users should upgrade to version 0.3.0 or later. As a workaround, avoid using the replace, unemojify, or strip functions until the upgrade can be applied [2]. The issue is not known to be listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.