{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/chenglou/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["pretext"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","algorithmic-complexity","pretext"],"_cs_type":"advisory","_cs_vendors":["chenglou"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@chenglou/pretext\u003c/code\u003e npm package, version 0.0.4 and earlier, is vulnerable to a denial-of-service attack due to inefficient algorithmic complexity in the \u003ccode\u003eisRepeatedSingleCharRun()\u003c/code\u003e function. This function, located in \u003ccode\u003esrc/analysis.ts\u003c/code\u003e, rescans the entire accumulated segment on every merge iteration during text analysis. This results in O(n²) total work for input consisting of repeated identical punctuation characters. An attacker who controls text passed to the \u003ccode\u003eprepare()\u003c/code\u003e function can exploit this vulnerability to block the main thread for a significant amount of time. For example, an 80KB input string consisting of repeated parenthesis characters (e.g., \u003ccode\u003e\u0026quot;(\u0026quot;.repeat(80_000)\u003c/code\u003e) can block the main thread for approximately 20 seconds on Node.js v24.12.0 running on Windows x64. This issue was identified in commit 9364741d3562fcc65aacc50953e867a5cb9fdb23 (v0.0.4).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a text string containing a large number of repeated, identical punctuation characters such as \u003ccode\u003e(\u003c/code\u003e, \u003ccode\u003e[\u003c/code\u003e, \u003ccode\u003e{\u003c/code\u003e, \u003ccode\u003e#\u003c/code\u003e, \u003ccode\u003e@\u003c/code\u003e, \u003ccode\u003e!\u003c/code\u003e, \u003ccode\u003e%\u003c/code\u003e, \u003ccode\u003e^\u003c/code\u003e, \u003ccode\u003e~\u003c/code\u003e, \u003ccode\u003e\u0026lt;\u003c/code\u003e, or \u003ccode\u003e\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted text string to an application that uses the \u003ccode\u003e@chenglou/pretext\u003c/code\u003e library. The text could be sent as a message in a chat application, submitted in a comment form, or used in server-side rendering.\u003c/li\u003e\n\u003cli\u003eThe application's code calls the \u003ccode\u003eprepare()\u003c/code\u003e function from the \u003ccode\u003e@chenglou/pretext\u003c/code\u003e library to perform layout measurement on the attacker-controlled text. This happens in \u003ccode\u003elayout.ts\u003c/code\u003e at line 472.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eprepare()\u003c/code\u003e function internally calls \u003ccode\u003eprepareInternal()\u003c/code\u003e in \u003ccode\u003elayout.ts\u003c/code\u003e (line 424), which then invokes \u003ccode\u003eanalyzeText()\u003c/code\u003e at line 430.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eanalyzeText()\u003c/code\u003e calls the \u003ccode\u003ebuildMergedSegmentation()\u003c/code\u003e function (analysis.ts:1013 -\u0026gt; analysis.ts:795) to process the text. This function uses \u003ccode\u003eIntl.Segmenter\u003c/code\u003e to break the text into segments.\u003c/li\u003e\n\u003cli\u003eFor each segment identified by \u003ccode\u003eIntl.Segmenter\u003c/code\u003e, the \u003ccode\u003ebuildMergedSegmentation()\u003c/code\u003e function iterates through the segments, checking if consecutive non-word-like segments consist of the same single character. When it finds matching segments, it merges them.\u003c/li\u003e\n\u003cli\u003eDuring the merge process, the \u003ccode\u003eisRepeatedSingleCharRun()\u003c/code\u003e function is called (analysis.ts:857 -\u0026gt; analysis.ts:285) to verify that all characters in the accumulated segment match the character being merged.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisRepeatedSingleCharRun()\u003c/code\u003e function iterates over the entire accumulated string (O(n) operation) for each merge, resulting in O(n²) complexity for large inputs. This causes the main thread to block. The final objective is to cause denial of service on the client or server processing the text.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to cause a denial-of-service (DoS) condition.\nSpecifically, chat/messaging applications, comment/form systems, or server-side rendering processes that use \u003ccode\u003e@chenglou/pretext\u003c/code\u003e can be targeted. A single crafted message or input (e.g., 80KB of repeated parenthesis characters) can block the main thread for approximately 20 seconds. In server-side rendering scenarios (Node.js/Bun), a single malicious request can consume excessive CPU time (20+ seconds per 80KB of payload). This can lead to a complete outage of the affected service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLimit the length of text passed to the \u003ccode\u003eprepare()\u003c/code\u003e function to mitigate the impact of this vulnerability before a patch is available.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage for processes utilizing the \u003ccode\u003e@chenglou/pretext\u003c/code\u003e library for unusually long execution times that could indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule that detects potential exploitation attempts based on excessive process execution time.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003e@chenglou/pretext\u003c/code\u003e once it becomes available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T17:21:00Z","date_published":"2024-05-02T17:21:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-pretext-dos/","summary":"A denial-of-service vulnerability exists in the `isRepeatedSingleCharRun()` function of the `@chenglou/pretext` npm package (versions 0.0.4 and earlier), which exhibits O(n²) algorithmic complexity when processing input consisting of repeated identical punctuation characters, leading to main thread blocking and DoS.","title":"Algorithmic Complexity DoS in @chenglou/pretext","url":"https://feed.craftedsignal.io/briefs/2024-05-pretext-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Chenglou","version":"https://jsonfeed.org/version/1.1"}