Security Bloggers Network Vulnerabilities

Home » Cybersecurity » Threats & Breaches » Vulnerabilities » Nexus Intelligence Insights: xlsx aka SheetJS – Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

Nexus Intelligence Insights: xlsx aka SheetJS – Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

by Akshay 'Ax' Sharma on May 6, 2020

For this month’s Nexus Intelligence Insights, we explore an interesting case of ReDoS vulnerability impacting the popular npm component, SheetJS, also known as “xlsx”. It may pique your interest to learn that this vulnerability was previously thought to be remedied through a fix. Adam Cazzolla of Sonatype Security Research later discovered this did not cover all malicious cases.

Cases like this ReDoS discovery illustrate how interaction with the open source community helps keep components and software supply chains secure. Our Security Research team goes the extra mile to discover novel vulnerabilities, and identify those arising from insufficient fixes, with help from the community. When we do come across cases like this one, we follow responsible disclosure best practices and coordinate with the vendor to help remediate the vulnerability, and safeguard the open source community.

It is worth commending the pace and professionalism at which the devs behind SheetJS worked during this responsible disclosure process. As soon as Sonatype notified them of the unpatched regular expression (regex) lurking in the app, the devs acknowledged the report within an hour of our email. Their engagement led to the vulnerability’s rapid resolution.

ReDoS vulnerabilities commonly occur when the regex being used to evaluate a string doesn’t take into account the numerous paths a regex engine will have to take during their evaluation, leading to catastrophic backtracking. In such an event, the regex matching engine consumes a large amount of CPU and/or memory resources. If a skilled attacker crafts a malicious input, a DoS condition will occur on the target host, all because of a string matching operation taking up much of the available resources.

Name/Vulnerability Identifier: sonatype-2018-0622
Type of Vulnerability: Regular expression Denial of Service (ReDoS)

Sponsorships Available

Components Affected:
npm: `xlsx` : [0.7.12, 0.16.0)
Maven Central: (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay 'Ax' Sharma. Read the original post at: https://blog.sonatype.com/nexus-intelligence-insights-sonatype-2018-0622-xlsx-sheetjs-regular-expression-denial-of-service

May 6, 2020May 6, 2020 Akshay 'Ax' Sharma FEATURED, Nexus Intelligence Insights, SheetJS, Vulnerabilities, xlsx

Nexus Intelligence Insights: xlsx aka SheetJS – Regular Expression Denial of Service (ReDoS) and sonatype-2018-0622

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

Zama Raises $73M in Series A Lead by Multicoin Capital and Protocol Labs to Commercialize Fully Homomorphic Encryption

RSM US Deploys Stellar Cyber Open XDR Platform to Secure Clients

ThreatHunter.ai Halts Hundreds of Attacks in the past 48 hours: Combating Ransomware and Nation-State Cyber Threats Head-On

Randall Munroe’s XKCD ‘Scary Triangles’