CVE-2026-45822 in decode-uri-component
Summary
by MITRE • 06/30/2026
decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
This vulnerability resides in the decode-uri-component library version 0.4.1 and earlier, representing a classic denial of service condition that exploits inefficient string parsing algorithms. The flaw manifests when the decode() function processes input strings containing multiple percent-encoded characters, specifically splitting on '%' delimiter which creates an exponential growth in processing complexity. The underlying issue stems from the algorithm's super-linear time complexity where the parsing time increases dramatically with input size, creating a mathematical progression that scales beyond reasonable computational limits. When an attacker crafts malicious input containing numerous '%ab' sequences, the library exhibits a clear performance degradation pattern that demonstrates the vulnerability's severity.
The technical implementation of this flaw involves the decodeComponents() function being called repeatedly for each token generated by the '%' splitting operation, creating nested iteration patterns that compound the computational overhead. This design pattern creates a situation where the number of operations grows faster than linearly with input size, making the library susceptible to resource exhaustion attacks. The specific timing measurements show an exponential relationship where 200 tokens require 0.7 seconds, but 1400 tokens consume approximately 33 seconds, indicating a complexity growth rate that approaches quadratic or worse behavior. This type of vulnerability directly impacts event-loop responsiveness in node.js environments and can cause complete application unresponsiveness.
The operational impact of this vulnerability extends beyond simple resource exhaustion to potentially compromise entire application availability and user experience. When exploited through crafted input, the library causes significant CPU consumption that blocks the event loop for extended periods, preventing other operations from executing while the parsing occurs. This creates a scenario where legitimate users experience service degradation or complete unavailability of functionality that relies on URI component decoding. The vulnerability affects any system using this library for processing user-provided URI data, including web applications, API gateways, and server-side processing systems where URI handling is common. Security practitioners must consider this as a potential vector for denial of service attacks that could be amplified through multiple concurrent requests or combined with other resource exhaustion techniques.
Mitigation strategies should focus on input validation and rate limiting to prevent exploitation while implementing library updates that address the underlying parsing algorithm. Organizations should immediately upgrade to versions of decode-uri-component that contain fixed implementations, typically those that employ more efficient parsing algorithms or implement proper input size limits. The fix should incorporate bounded complexity operations that prevent exponential growth in processing time regardless of input characteristics. Additionally, implementing request throttling and maximum input size restrictions in front-end proxies or application firewalls can provide defense-in-depth measures against such attacks. This vulnerability aligns with CWE-400 which categorizes improper resource management and specifically addresses denial of service through resource exhaustion. From an ATT&CK framework perspective, this represents a resource exhaustion technique (T1499.004) that can be used in conjunction with other attack patterns to create more sophisticated denial of service scenarios, particularly within web application environments where URI parsing is common.