ReDoS the web • Blake Embrey

submited by
Style Pass
2024-09-09 19:30:08

Ten years ago I took over path-to-regexp with the release of v0.1.0, used in Express.js 4. Between then and now I've released 8 major versions adding, removing, and refining features. If I knew what I knew today, none of those 8 major versions would have been released. That's story for another day.

This story begins with Express 5. As part of reviving Express we're conducting a security audit, and I woke up on day to the revelation that users of path-to-regexp (including Express.js, Next.js, and others) may contain vulnerable regular expressions. It has never been reported, but once you know you know.

Any route using two or more parameters between slashes, where the second parameter does not start with / or ., is currently vulnerable to ReDoS. Express.js uses a vulnerable example in the routing guide: /flights/:from-:to. The design flaw goes undetected all the way back to the initial commit. Let's look at the regular expression generated for this route:

This looks reasonable, but if you match against a path like '/flights/' + '-'.repeat(16_000) + '/x' it takes 300ms. Holy crap! This should take less than a millisecond. If we tweak it slightly, changing the second parameter from ([^\/]+?) to ([^\/-]+?), it takes just 0.07ms. What's gone wrong?

Leave a Comment