Context
The IPv6 regex in src/middleware/redactor.ts:40 uses 12 top-level alternatives with {1,7} and {1,6} nested quantifiers — a classic alternation explosion pattern (similar to CVE-2023-46239 in is-ip).
Location: src/middleware/redactor.ts, line 40
Impact
A crafted input containing a long string of colons (e.g. "::::::::::::::::::::::::::::::::::::::::") can peg the event loop. The redactor runs on every request body, so an unauthenticated attacker can trigger this when HUSH_AUTH_TOKEN is unset.
Proposal
Replace with a length-bounded prefilter before applying the full regex, or use Node's built-in net.isIPv6() for validation after extracting candidates with a simple pattern.
Priority
High — pre-existing issue, not introduced by PR #23.
Context
The IPv6 regex in
src/middleware/redactor.ts:40uses 12 top-level alternatives with{1,7}and{1,6}nested quantifiers — a classic alternation explosion pattern (similar to CVE-2023-46239 inis-ip).Location:
src/middleware/redactor.ts, line 40Impact
A crafted input containing a long string of colons (e.g.
"::::::::::::::::::::::::::::::::::::::::") can peg the event loop. The redactor runs on every request body, so an unauthenticated attacker can trigger this whenHUSH_AUTH_TOKENis unset.Proposal
Replace with a length-bounded prefilter before applying the full regex, or use Node's built-in
net.isIPv6()for validation after extracting candidates with a simple pattern.Priority
High — pre-existing issue, not introduced by PR #23.