CVE-2021-27405 – A ReDoS (Regular Expression Denial of Service) ... (How to Fix)

Q: What is the severity of CVE-2021-27405?

CVE-2021-27405 has a CVSS score of 7.5 (HIGH). A ReDoS (Regular Expression Denial of Service) vulnerability exists in the @progfay/scrapbox-parser package for Node.js, allowing attackers to cause denial of service by sending specially crafted input that triggers inefficient regular expression processing. This affects any Node.js application using vulnerable versions of this package to parse Scrapbox content.

📋 TL;DR

A ReDoS (Regular Expression Denial of Service) vulnerability exists in the @progfay/scrapbox-parser package for Node.js, allowing attackers to cause denial of service by sending specially crafted input that triggers inefficient regular expression processing. This affects any Node.js application using vulnerable versions of this package to parse Scrapbox content.

💻 Affected Systems

Products:

@progfay/scrapbox-parser

Versions: All versions before 6.0.3

Operating Systems: Any OS running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable package to parse untrusted input.

📦 What is this software?

Scrapbox Parser by Scrapbox Parser Project

View all CVEs affecting Scrapbox Parser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from processing malicious input, potentially leading to extended downtime.

🟠

Likely Case

Degraded performance or temporary service disruption when processing malicious user input containing specific patterns.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated package versions.

🌐 Internet-Facing: HIGH - Any web service using this package to parse user-supplied content is vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal services could be affected by malicious internal users or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ReDoS vulnerabilities are typically easy to exploit with crafted input patterns. Public pull requests demonstrate the vulnerable patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0.3 and later

Vendor Advisory: https://github.com/progfay/scrapbox-parser/pull/519

Restart Required: Yes

Instructions:

1. Update package.json to specify @progfay/scrapbox-parser version 6.0.3 or higher. 2. Run 'npm update @progfay/scrapbox-parser' or 'yarn upgrade @progfay/scrapbox-parser'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject or sanitize patterns that could trigger ReDoS before passing to the parser.

Rate limiting

all

Implement rate limiting on endpoints that use the parser to prevent repeated exploitation attempts.

🧯 If You Can't Patch

Implement WAF rules to block patterns known to trigger ReDoS in this parser
Monitor CPU usage and implement automatic throttling or blocking of suspicious requests

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list @progfay/scrapbox-parser' to see if version is below 6.0.3.

Check Version:

npm list @progfay/scrapbox-parser | grep scrapbox-parser

Verify Fix Applied:

After updating, verify the installed version is 6.0.3 or higher using 'npm list @progfay/scrapbox-parser'.

📡 Detection & Monitoring

Log Indicators:

Unusually high CPU usage spikes
Request timeouts on parsing endpoints
Multiple failed parsing attempts

Network Indicators:

Repeated requests with similar payload patterns
Unusually large input payloads to parsing endpoints

SIEM Query:

source="application.logs" AND (message="CPU spike" OR message="parse timeout") AND process="node"

📊 Metadata

CVE ID: CVE-2021-27405

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 19, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/progfay/scrapbox-parser/pull/519 Patch,Third Party Advisory
https://github.com/progfay/scrapbox-parser/pull/539 Patch,Third Party Advisory
https://github.com/progfay/scrapbox-parser/pull/540 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210326-0002/ Third Party Advisory
https://github.com/progfay/scrapbox-parser/pull/519 Patch,Third Party Advisory
https://github.com/progfay/scrapbox-parser/pull/539 Patch,Third Party Advisory
https://github.com/progfay/scrapbox-parser/pull/540 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210326-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27405, you might also want to check these: