High

lunary

Regular Expression Denial of Service in Text Processing Library

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the lunary-ai/lunary library, specifically version 1.2.10. By crafting malicious regular expressions, an attacker can cause the application to become unresponsive or crash. This issue was not explicitly mentioned as patched in the provided data, suggesting the need for users to verify the latest versions for a fix.

Available publicly on Jun 01 2024

7.5

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

mvlttt
Threat Overview

The vulnerability arises from the way the application handles user-supplied regular expressions for text processing. When an attacker submits a specially crafted regular expression, such as '(a+)+b', the application's regular expression engine consumes excessive resources trying to match this pattern, leading to a Denial of Service (DoS) condition. This is particularly problematic in applications that rely on real-time processing or have limited computational resources.

Attack Scenario

An attacker crafts a JSON payload containing a malicious regular expression and sends it to the application's text processing endpoint via a POST request. The application attempts to process the regular expression, leading to excessive resource consumption and ultimately causing the application to crash or become unresponsive.

Who is affected

Any users or systems that rely on the lunary-ai/lunary library version 1.2.10 for processing text with custom regular expressions are vulnerable to this attack. This includes web applications, data processing services, and any other software that utilizes this library for text analysis or manipulation.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.