pm2 icon indicating copy to clipboard operation
pm2 copied to clipboard
verified publisher icon Unitech

fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

Open mmmsssttt404 opened this issue 10 months ago • 1 comments

Q A
Bug fix? yes
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets
License MIT
Doc PR https://github.com/pm2-hive/pm2-hive.github.io/pulls

Steps to reproduce Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

https://github.com/mmmsssttt404/pm2/blob/d0e7801184bcf98b7c93ffecc77c623df6ffa22f/lib/tools/Config.js#L204

PoC Files and Comparisons: gist:https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385 use time: 屏幕截图 2025-04-01 142642

Proposed Solution: Change the regular expression to

((?<![\w\-])([\w\-]+\="[^"]*")|(?<![\w\-])([\w\-]+\='[^']*')|"([^"]*)"|'([^']*)'|\s )

change:

屏幕截图 2025-04-01 142648 屏幕截图 2025-04-01 143941 屏幕截图 2025-04-01 144551

steps: 1.git clone https://github.com/mmmsssttt404/pm2.git 2.cd pm2 3.git checkout development 4.npm install 5.change regex 6.bash test/unit.sh

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

mmmsssttt404 avatar Apr 01 '25 07:04 mmmsssttt404

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 01 '25 07:04 CLAassistant

_valid 是内部方法,仅在 Config.validateJSON 中被调用, Config.validateJSON 的调用方传入的数据 是来自 使用者自己传入的配置项生成的,何着自己DDOS自己算漏洞?

那 写段 nodejs 脚本执行任意命令或者跑个死循环,就可以提 nodejs 官方提 BUG 了吗?

看了一下你的 gist 中的 POC,都是类似的,拿这个套路在 github 上刷 PR 吗?

https://gist.github.com/mmmsssttt404

xqin avatar Jul 08 '25 11:07 xqin

https://github.com/Unitech/pm2/issues/6031 this merge is giving issues.

KyorCode avatar Sep 02 '25 12:09 KyorCode

The new regular expression has problems, and for the problem mentioned before, it cannot cut the parameters correctly.

image

@Unitech Please revert this pull request.

xqin avatar Sep 02 '25 14:09 xqin

Sorry for the impact on the project, this was caused by an extra space, but it happened to not be covered by the test, and then fixed it in the new PR https://github.com/Unitech/pm2/pull/6032

mmmsssttt404 avatar Sep 03 '25 03:09 mmmsssttt404

{4EEAE694-A32F-490A-A4CB-58A593931609} {7EB0BDB3-467E-4913-907B-DD1FF1575869}

mmmsssttt404 avatar Sep 03 '25 03:09 mmmsssttt404

{08F62FE6-BFC8-43D9-84C9-E90FBFB7E1C1} I add one test in https://github.com/mmmsssttt404/pm2/blob/master/test/programmatic/json_validation.mocha.js to test /issues/6031 this problem

mmmsssttt404 avatar Sep 03 '25 03:09 mmmsssttt404