CVE-2017-18077 in brace-expansion
Summary
by MITRE
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2023
The vulnerability identified as CVE-2017-18077 represents a critical Regular Expression Denial of Service flaw within the brace-expansion npm package, specifically affecting versions prior to 1.1.7. This vulnerability resides in the index.js file and demonstrates how seemingly benign input processing can become a vector for catastrophic performance degradation. The flaw exploits the inherent inefficiency of regular expression engines when processing certain inputs that trigger exponential backtracking behavior, making it particularly dangerous in web applications where user input is processed through these libraries.
The technical implementation of this vulnerability stems from the brace-expansion library's handling of brace expansion patterns, particularly when parsing strings containing multiple comma characters. When an attacker crafts a malicious input string with numerous commas, the regular expression pattern used within the expand function becomes susceptible to catastrophic backtracking. This occurs because the regular expression engine attempts to match the input against multiple possible patterns, leading to an exponential increase in processing time as the input size grows. The vulnerability specifically manifests when the input contains a large number of comma characters that create nested quantifiers in the regular expression pattern, causing the engine to explore an astronomical number of potential matches before determining the final result.
From an operational perspective, this vulnerability poses significant risks to applications that rely on brace-expansion for processing user input or configuration files. The impact extends beyond simple performance degradation to potentially causing complete system unresponsiveness or service disruption, particularly in environments where the library processes untrusted input. Attackers can exploit this vulnerability by providing carefully crafted inputs that cause the application to consume excessive CPU resources, leading to denial of service conditions that can affect legitimate users. The vulnerability is particularly concerning in server-side applications or APIs that process user-provided data, as it can be exploited to consume system resources and potentially cause cascading failures in service availability.
The vulnerability aligns with CWE-400, which specifically addresses the issue of Regular Expression Denial of Service, and maps to ATT&CK technique T1499.004 for the use of resource exhaustion attacks. Organizations should implement immediate mitigations including updating to brace-expansion version 1.1.7 or later, which includes improved regular expression patterns that prevent catastrophic backtracking. Additionally, input validation and sanitization measures should be implemented at application boundaries to limit the complexity of patterns processed by vulnerable libraries. The fix typically involves refactoring the regular expression patterns to eliminate nested quantifiers or implementing proper input length limits to prevent exploitation. Security teams should also consider monitoring for unusual processing patterns or resource consumption that might indicate exploitation attempts, as the vulnerability can be used in conjunction with other attack vectors to create more sophisticated denial of service scenarios.