Regular Expression Denial of Service (ReDoS) #153
Description
Regular Expression Denial of Service (ReDoS)
Vulnerable module: debug
Introduced through: truffle@4.1.5
Detailed paths
Introduced through: erc20-tokens@ConsenSys/Tokens#df959c7db75cc5fbb1591775353733958b3ceca1 › truffle@4.1.5 › mocha@3.5.3 › debug@2.6.8
Remediation: Upgrade to truffle@4.1.9.
Overview
debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..
debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.