Listen to this Post
How the CVE Works
The vulnerability in @vue/cli-plugin-pwa (up to v5.0.8) stems from inefficient regex handling in HtmlPwaPlugin.js. Attackers can craft malicious Markdown content containing nested or exponential regex patterns, causing catastrophic backtracking. When processed by the plugin during PWA manifest generation, this triggers excessive CPU consumption, leading to Denial of Service (DoS). Remote exploitation is possible if user-controlled input reaches the vulnerable regex without proper validation.
DailyCVE Form
Platform: Vue.js CLI
Version: ≤5.0.8
Vulnerability: ReDoS
Severity: Moderate
Date: 2025-06-09
Prediction: Patch by 2025-07-15
What Undercode Say:
Analytics
- Impact Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
- Exploitability: Low (requires specific Markdown input)
- Affected Systems: Projects using `@vue/cli-plugin-pwa` for PWA generation.
Exploitation
// PoC - Malicious Markdown triggering ReDoS const payload = '<a href="<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<">a</a>'; // Processed by HtmlPwaPlugin.js regex during manifest generation
Mitigation
1. Immediate Workaround:
npm audit fix --force
2. Manual Patch: Replace vulnerable regex in `HtmlPwaPlugin.js` with:
const safeRegex = /[([^]]+)](([^)]+))/; // Linear-time pattern
Detection
Check installed version npm list @vue/cli-plugin-pwa Output vulnerable if version ≤5.0.8
Protection
Rate-limit Markdown processing (NGINX)
http {
limit_req_zone $binary_remote_addr zone=md_limit:10m rate=5r/s;
}
Monitoring
Log CPU spikes during PWA builds grep -i "cpu overload" /var/log/vue-cli.log
Patch Verification
// Post-update test const testInput = '<a href="b">a</a>'; assert.match(testInput, safeRegex); // No backtracking
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
