<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pretext - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/pretext/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 02 May 2024 17:21:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/pretext/feed.xml" rel="self" type="application/rss+xml"/><item><title>Algorithmic Complexity DoS in @chenglou/pretext</title><link>https://feed.craftedsignal.io/briefs/2024-05-pretext-dos/</link><pubDate>Thu, 02 May 2024 17:21:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-05-pretext-dos/</guid><description>A denial-of-service vulnerability exists in the `isRepeatedSingleCharRun()` function of the `@chenglou/pretext` npm package (versions 0.0.4 and earlier), which exhibits O(n²) algorithmic complexity when processing input consisting of repeated identical punctuation characters, leading to main thread blocking and DoS.</description><content:encoded><![CDATA[<p>The <code>@chenglou/pretext</code> npm package, version 0.0.4 and earlier, is vulnerable to a denial-of-service attack due to inefficient algorithmic complexity in the <code>isRepeatedSingleCharRun()</code> function. This function, located in <code>src/analysis.ts</code>, rescans the entire accumulated segment on every merge iteration during text analysis. This results in O(n²) total work for input consisting of repeated identical punctuation characters. An attacker who controls text passed to the <code>prepare()</code> function can exploit this vulnerability to block the main thread for a significant amount of time. For example, an 80KB input string consisting of repeated parenthesis characters (e.g., <code>&quot;(&quot;.repeat(80_000)</code>) can block the main thread for approximately 20 seconds on Node.js v24.12.0 running on Windows x64. This issue was identified in commit 9364741d3562fcc65aacc50953e867a5cb9fdb23 (v0.0.4).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a text string containing a large number of repeated, identical punctuation characters such as <code>(</code>, <code>[</code>, <code>{</code>, <code>#</code>, <code>@</code>, <code>!</code>, <code>%</code>, <code>^</code>, <code>~</code>, <code>&lt;</code>, or <code>&gt;</code>.</li>
<li>The attacker submits the crafted text string to an application that uses the <code>@chenglou/pretext</code> library. The text could be sent as a message in a chat application, submitted in a comment form, or used in server-side rendering.</li>
<li>The application's code calls the <code>prepare()</code> function from the <code>@chenglou/pretext</code> library to perform layout measurement on the attacker-controlled text. This happens in <code>layout.ts</code> at line 472.</li>
<li>The <code>prepare()</code> function internally calls <code>prepareInternal()</code> in <code>layout.ts</code> (line 424), which then invokes <code>analyzeText()</code> at line 430.</li>
<li><code>analyzeText()</code> calls the <code>buildMergedSegmentation()</code> function (analysis.ts:1013 -&gt; analysis.ts:795) to process the text. This function uses <code>Intl.Segmenter</code> to break the text into segments.</li>
<li>For each segment identified by <code>Intl.Segmenter</code>, the <code>buildMergedSegmentation()</code> function iterates through the segments, checking if consecutive non-word-like segments consist of the same single character. When it finds matching segments, it merges them.</li>
<li>During the merge process, the <code>isRepeatedSingleCharRun()</code> function is called (analysis.ts:857 -&gt; analysis.ts:285) to verify that all characters in the accumulated segment match the character being merged.</li>
<li>The <code>isRepeatedSingleCharRun()</code> function iterates over the entire accumulated string (O(n) operation) for each merge, resulting in O(n²) complexity for large inputs. This causes the main thread to block. The final objective is to cause denial of service on the client or server processing the text.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows an attacker to cause a denial-of-service (DoS) condition.
Specifically, chat/messaging applications, comment/form systems, or server-side rendering processes that use <code>@chenglou/pretext</code> can be targeted. A single crafted message or input (e.g., 80KB of repeated parenthesis characters) can block the main thread for approximately 20 seconds. In server-side rendering scenarios (Node.js/Bun), a single malicious request can consume excessive CPU time (20+ seconds per 80KB of payload). This can lead to a complete outage of the affected service.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Limit the length of text passed to the <code>prepare()</code> function to mitigate the impact of this vulnerability before a patch is available.</li>
<li>Monitor CPU usage for processes utilizing the <code>@chenglou/pretext</code> library for unusually long execution times that could indicate exploitation of this vulnerability.</li>
<li>Deploy the Sigma rule that detects potential exploitation attempts based on excessive process execution time.</li>
<li>Upgrade to a patched version of <code>@chenglou/pretext</code> once it becomes available.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>algorithmic-complexity</category><category>pretext</category></item></channel></rss>