Skip to content

fix: IPv6 regex ReDoS vulnerability — catastrophic backtracking on crafted input #28

Description

@byapparov

Context

The IPv6 regex in src/middleware/redactor.ts:40 uses 12 top-level alternatives with {1,7} and {1,6} nested quantifiers — a classic alternation explosion pattern (similar to CVE-2023-46239 in is-ip).

Location: src/middleware/redactor.ts, line 40

Impact

A crafted input containing a long string of colons (e.g. "::::::::::::::::::::::::::::::::::::::::") can peg the event loop. The redactor runs on every request body, so an unauthenticated attacker can trigger this when HUSH_AUTH_TOKEN is unset.

Proposal

Replace with a length-bounded prefilter before applying the full regex, or use Node's built-in net.isIPv6() for validation after extracting candidates with a simple pattern.

Priority

High — pre-existing issue, not introduced by PR #23.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions