Listen to this Post
How the CVE works (technical details):
The vulnerability exists in `isRepeatedSingleCharRun()` (analysis.ts line 285). When `buildMergedSegmentation()` processes text from `Intl.Segmenter` with granularity: 'word', consecutive non-word identical punctuation characters (e.g., (, [, !) are merged. Before each merge, the function scans the entire accumulated segment to verify all characters match the new character. For a string of N identical chars, the merge is attempted N times; on the k-th call the accumulated length is k, causing k comparisons. Total work = N(N+1)/2 = O(n²). An attacker supplies e.g., `'(‘.repeat(80000)` to prepare(). The main thread blocks for ~20 seconds (tested on Node.js v24.12.0, Windows x64, commit 9364741d). The call chain: `prepare()` → `prepareInternal()` → `analyzeText()` → `buildMergedSegmentation()` → isRepeatedSingleCharRun(). Every identical punctuation character (excluding `-` and em-dash) triggers the O(n²) behavior. No authentication or special encoding required – 80KB payload fits within typical input limits.
dailycve form:
Platform: pretext Node.js
Version: v0.0.4
Vulnerability: DoS repeated punctuation
Severity: medium
date: 2026-04-09
Prediction: Within two weeks
What Undercode Say:
Reproduce O(n²) blocking
node -e "const { prepare } = require('@chenglou/pretext'); const start = Date.now(); prepare('('.repeat(80000), '16px Arial'); console.log('Blocked ms:', Date.now() - start);"
// Vulnerable code snippet (analysis.ts:285-291)
function isRepeatedSingleCharRun(segment: string, ch: string): boolean {
for (const part of segment) if (part !== ch) return false;
return true;
}
Exploit:
Send HTTP POST with `text` field containing 80,000 repeated `(` characters to any endpoint that calls `prepare()` (chat message, comment form, SSR). Client/server freezes for ~20 seconds per request; multiple requests amplify CPU exhaustion.
Protection from this CVE:
- Cap text length passed to `prepare()` (e.g., 10KB max).
- Apply library fix: replace `isRepeatedSingleCharRun()` with O(1) endpoint check (
segment[bash] === ch && segment[segment.length-1] === ch) or track merge metadata boolean. - Use Web Workers to offload `prepare()` from main thread.
Impact:
UI thread freeze in chat/messaging apps; server-side CPU exhaustion via single unauthenticated 80KB request; denial of service for any application using pretext for text measurement.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

