skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
August 3, 2021

GHSL-2021-098: ReDoS in OpenProject - CVE-2021-32763

GitHub Security Lab

Coordinated Disclosure Timeline


A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.



Tested Version

OpenProject 11.3.2

Issue details

The MessagesController class has a quote method that implements the logic behind the Quote button in the discussion forums, and it uses the following regex to strip <pre> tags from the message being quoted (app/controllers/messages_controller.rb#L147):

text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')

The (.|\s) part can match a space character in two ways, so an unterminated <pre> tag containing n spaces will cause Ruby’s regex engine to backtrack to try 2n states in the NFA. For example:

irb(main):009:0> text = '<pre>                           </pre'
processing time: 0.000026s
=> "<pre>                           </pre"
irb(main):010:0> text.to_s.strip.gsub(%r{<pre>((.|\s)*?)</pre>}m, '[...]')
processing time: 21.166936s
=> "<pre>                           </pre"


Denial of Service


This issue was discovered by @nickrolfe (Nick Rolfe) from the GitHub CodeQL team.


You can contact the GHSL team at Please include GHSL-2021-098 in any communication regarding this issue.