CVE-2021-23362 in hosted-git-info
Summary
by MITRE • 03/24/2021
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/04/2021
The vulnerability identified as CVE-2021-23362 affects the hosted-git-info package version prior to 3.0.8, presenting a significant security risk through Regular Expression Denial of Service. This issue specifically manifests within the shortcutMatch function of the fromUrl() method, where maliciously crafted input can cause excessive computational overhead and potential system resource exhaustion. The vulnerability stems from poorly constructed regular expressions that are susceptible to catastrophic backtracking when processing certain input patterns, creating a condition where the system becomes unresponsive or crashes due to the exponential time complexity of regex matching operations.
The technical flaw resides in the implementation of regular expression patterns used to parse and validate git repository URLs, particularly when handling shortcut formats that are commonly used in package management systems. When an attacker provides a crafted URL containing specific character sequences, the regex engine enters into a state of catastrophic backtracking where it repeatedly attempts different matching paths, consuming CPU resources and memory in an exponential manner. This behavior directly maps to the Common Weakness Enumeration CWE-400, which categorizes the vulnerability as a Regular Expression Denial of Service attack, and aligns with the ATT&CK technique T1496 specifically targeting resource exhaustion through malformed input processing.
The operational impact of this vulnerability extends beyond simple denial of service, as it can affect various systems that rely on package management workflows including development environments, continuous integration pipelines, and automated deployment systems. Applications using the affected package may experience complete service unavailability when processing malicious URLs, potentially leading to cascading failures in automated workflows and system downtime. The vulnerability is particularly dangerous in environments where user input is processed through package managers or dependency resolution systems, as it can be exploited through supply chain attacks or by manipulating package metadata.
Mitigation strategies should prioritize immediate patching of the hosted-git-info package to version 3.0.8 or later, which contains fixed regular expression patterns that eliminate the catastrophic backtracking conditions. Organizations should also implement input validation and sanitization measures at the application level to filter out potentially malicious URLs before they reach the vulnerable parsing functions. Network-level protections such as rate limiting and URL filtering can provide additional defense-in-depth layers, while monitoring systems should be configured to detect unusual CPU usage patterns that may indicate exploitation attempts. Security teams should also consider implementing automated dependency scanning tools that can identify and alert on vulnerable package versions across their software supply chains, as this vulnerability can be exploited through indirect means such as compromised package repositories or malicious package installations.