Vulnerable Regular Expression

[cristianstaicu]

The following regular expression used in unescapeHTML is vulnerable to ReDoS:

/\&([^;]+);/g

The slowdown is moderately low: for 50.000 characters around 2 seconds matching time. However, I would still suggest one of the following:

• remove the regex,
• anchor the regex,
• limit the number of characters that can be matched by the repetition,
• limit the input size.

If needed, I can provide an actual example showing the slowdown.

[simonstewart-bridgement]

Any movement on this?

[esamattis]

Maybe? #517

[esamattis]

Fix released in 3.3.5. Please reopen if still an issue.

[magesh0819]

Though the regex in question has been updated in unescapeHTML.js it is still present in underscore.string.js and underscore.string.min.js. Hence the 3.3.5 version in npm registry is still vulnerable to the Regular expression Denial of Service (ReDoS) attack.

I believe the dist was not recreated after the fix. Need to rebuild underscore.string.js and underscore.string.min.js and release new version to npm.

[PenguinOfWar]

This appears to still be an issue. NPM audit is showing a vulnerability for this package even when fully up to date with the latest version.

Am I missing something?

[esamattis]

We tried to fix this issue sometime ago. Really not sure what should be done more to solve it. PRs are very much welcome.

I'll re-open this issue to get more eyes on it.