Babel, Regular Expression Named Capturing Groups Vulnerability, CVE-2024-XXXX (Critical)

By /

How the CVE Works:

This vulnerability arises in Babel when compiling regular expressions with named capturing groups. Babel generates a polyfill for the `.replace` method, which exhibits quadratic complexity when processing specific replacement pattern strings (the second argument passed to .replace). The vulnerability is triggered under the following conditions:
1. Babel is used to compile regular expressions with named capturing groups.
2. The `.replace` method is applied to a regular expression containing named capturing groups.
3. Untrusted strings are passed as the second argument to .replace.
The issue is exacerbated when using `@babel/preset-env` with the `targets` option, as the vulnerable transform is automatically enabled for older browser targets. This can lead to severe performance degradation or denial of service (DoS) attacks if exploited.

DailyCVE Form:

Platform: Babel
Version: <7.26.10, <8.0.0-alpha.17
Vulnerability: Quadratic Complexity
Severity: Critical
Date: 2024-XX-XX

What Undercode Say:

Exploitation:

  1. Exploit Scenario: An attacker crafts a malicious string containing the pattern `$<` followed by arbitrary characters, which is passed as the second argument to `.replace` in a vulnerable Babel-compiled application.
  2. Impact: The application experiences exponential resource consumption, leading to a DoS condition.

3. Proof of Concept (PoC):

const regex = /(?<group>.)/;
const maliciousInput = "$<group>".repeat(1000000);
"input".replace(regex, maliciousInput); // Triggers quadratic complexity

Mitigation:

1. Upgrade Dependencies:

npm install @babel/[email protected]
npm install @babel/[email protected]

2. Recompile Code:

After upgrading, recompile all Babel-transpiled code to ensure the fix is applied.

3. Input Validation:

Validate user-provided strings to ensure they do not contain the substring `$<` unless followed by >.

function validateInput(input) {
if (input.includes("$<") && !input.includes(">")) {
throw new Error("Invalid input: potential exploit detected");
}
}

Detection:

1. Debug Transforms:

Enable the `debug` option in `@babel/preset-env` to verify which transforms are being applied.

{
"presets": [
[bash]
]
}

Additional Commands:

1. Check Installed Versions:

npm list @babel/helpers @babel/runtime

2. Force Rebuild:

rm -rf node_modules && npm install

References:

  • Babel GitHub Issue: bash
  • CVE Details: bash
    By following these steps, developers can mitigate the risk of this critical vulnerability and ensure their applications remain secure.

References:

Reported By: https://github.com/advisories/GHSA-968p-4wvh-cqc8
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top