GHSL-2022-039: Exponential ReDoS (Regular Expression Denial of Service) in jquery-validation - CVE-2022-31147

Coordinated Disclosure Timeline

• 2022-06-23: Report sent to maintainer of jquery-validation.
• 2022-06-23: Report was acknowledged.
• 2022-07-01: Fix release 1.19.5 and advisory were published.
• 2022-07-14: Maintainer updated advisory and requested CVE.
• 2022-07-15: CVE-2022-31147 was assigned to this vulnerability.

Summary

The issue is the same as CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method

The fix we suggested for CVE-2021-43306 was incomplete. The ReDoS analysis in CodeQL has improved since then and uncovered the remaining vulnerablity.

Product

jquery-validation

Tested Version

1.19.4

Details

Issue: ReDoS in url2.js (GHSL-2022-039)

Below is a PoC that contains the relevant regular expression. Run following script with node and you will notice that it doesn’t terminate.

const reg = /^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.?)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i;

const str = "//" + "00".repeat(50)

console.log(reg.test(str));

…

The incomplete fix was identified using CodeQL.

Impact

This issue may lead to DoS.

Remediation

The new vulnerability has since been fixed in the gist that the regular expression was copy-pasted from: https://gist.github.com/dperini/729294#file-regex-weburl-js-L62 So the fix is just to copy-paste that new version (copy pasted below).

/^(?:(?:(?:https?|ftp):)?\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u00a1-\uffff][a-z0-9\u00a1-\uffff_-]{0,62})?[a-z0-9\u00a1-\uffff]\.)+(?:[a-z\u00a1-\uffff]{2,}\.?))(?::\d{2,5})?(?:[/?#]\S*)?$/i

CVE

• CVE-2022-31147

Credit

This issue was discovered and reported by GitHub team member @erik-krogh (Erik Krogh Kristensen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-039 in any communication regarding this issue.