Skip to content

[GHSA-f522-ffg8-j8r6] Regular Expression Denial of Service in is-my-json-valid #4850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-f522-ffg8-j8r6] Regular Expression Denial of Service in is-my-json-valid #4850

wants to merge 1 commit into from

Conversation

matsumokei
Copy link

Updates

  • Details
  • Affected version range
  • Fixed version

Comments

This GHSA-ID corresponds to NSWG-ECO-76.
When I compare it with NSWG-ECO-76, the details, affected version range, and fixed version appear to be incorrect.

@github-actions github-actions bot changed the base branch from main to matsumokei/advisory-improvement-4850 September 29, 2024 05:37
@darakian
Copy link
Contributor

darakian commented Sep 30, 2024
edited
Loading

Hi @matsumokei, thanks for the PR, but it looks to me like the fix got merged into the 2.17.2 tag.
mafintosh/is-my-json-valid@767c6c0
https://hackerone.com/reports/317548

I can't find anything for version1.4.1 so perhaps that is incorrect, but where does 2.12.4 come from?

@matsumokei
Copy link
Author

@darakian Thank you for your comment.

Where does 2.12.4 come from?

From the references of GHSA-f522-ffg8-j8r6, it corresponds to NSWG-ECO-76 and CVE-2016-2537.

When I look at
https://github.com/nodejs/security-wg/blob/26cf94dd6bd22393449e1fbf2dcf975fd71cb82c/vuln/npm/76.json#L16C3-L16C37 and https://nvd.nist.gov/vuln/detail/CVE-2016-2537, I can find the following descriptions.

NSWG-ECO-76

"vulnerable_versions": "<=2.12.3",
 "patched_versions": ">=2.12.4",

and
CVE-2016-2537

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

GHSA-4hpf-3wq7-5rpr VS GHSA-f522-ffg8-j8r6

The is-my-json-valid package also has GHSA-4hpf-3wq7-5rpr.
GHSA-4hpf-3wq7-5rpr and GHSA-f522-ffg8-j8r6 are similar, but they were reported at different times.
I'm confused because I can't tell the difference between GHSA-4hpf-3wq7-5rpr and GHSA-f522-ffg8-j8r6.

@darakian
Copy link
Contributor

darakian commented Oct 1, 2024

This may have been one that we corrected based on the evidence at hand. I can see how the description would lead you to your conclusion, but looking at the actual code change and the tags associated I think the description might be a typo. Perhaps it might be worth raising this with the node security working group?

@matsumokei
Copy link
Author

matsumokei commented Oct 2, 2024
edited
Loading

I'll raise an issue with the node security working group.
When I have finished investigating the vulnerabilities of the is-my-json-valid and find something, I may send the PR.
I'll close the PR.
Thanks for discussing with me.

@matsumokei matsumokei closed this Oct 2, 2024
@matsumokei matsumokei deleted the matsumokei-GHSA-f522-ffg8-j8r6 branch October 2, 2024 05:10
@darakian
Copy link
Contributor

darakian commented Oct 2, 2024
edited
Loading

Happy to have the conversation and thank you again for effort :)
I'll go ahead and update this advisory to drop the 1.4.1 version as a fix given the lack of evidence and extend the >= 2.0.0, < 2.17.2 range to < 2.17.2.

Let me know how your investigation goes and feel free to follow up in this thread if you feel like the results don't warrant a new PR. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matsumokei @darakian