CVE-2021-33623 – This vulnerability in the trim-newlines Node.js... (How to Fix)

Q: What is the severity of CVE-2021-33623?

CVE-2021-33623 has a CVSS score of 7.5 (HIGH). This vulnerability in the trim-newlines Node.js package allows attackers to cause a denial-of-service (DoS) condition through a regular expression denial-of-service (ReDoS) attack in the .end() method. It affects applications using vulnerable versions of trim-newlines, potentially causing CPU exhaustion and service unavailability. The impact is limited to availability rather than data compromise.

📋 TL;DR

This vulnerability in the trim-newlines Node.js package allows attackers to cause a denial-of-service (DoS) condition through a regular expression denial-of-service (ReDoS) attack in the .end() method. It affects applications using vulnerable versions of trim-newlines, potentially causing CPU exhaustion and service unavailability. The impact is limited to availability rather than data compromise.

💻 Affected Systems

Products:

trim-newlines Node.js package

Versions: All versions before 3.0.1 and 4.x before 4.0.1

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable .end() method with untrusted input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the application until the process is restarted.

🟠

Likely Case

Degraded performance or temporary service disruption for specific endpoints processing malicious input.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: MEDIUM - Exploitable via user input to internet-facing applications, but requires specific conditions.

🏢 Internal Only: LOW - Less likely to be exploited internally unless by malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ReDoS attacks are well-understood and can be easily crafted with malicious input strings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.1 or 4.0.1

Vendor Advisory: https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1

Restart Required: Yes

Instructions:

1. Update package.json to use trim-newlines >=3.0.1 or >=4.0.1. 2. Run 'npm update trim-newlines' or 'yarn upgrade trim-newlines'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject or sanitize strings that could trigger ReDoS patterns.

Rate limiting and timeout controls

all

Implement request rate limiting and execution timeouts to prevent DoS conditions.

🧯 If You Can't Patch

Implement strict input validation to reject suspicious patterns in user input
Deploy WAF rules to block requests with ReDoS patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list trim-newlines' to see installed version.

Check Version:

npm list trim-newlines | grep trim-newlines

Verify Fix Applied:

Verify installed version is >=3.0.1 or >=4.0.1 using 'npm list trim-newlines'.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Application timeouts
Process crashes related to trim-newlines

Network Indicators:

Unusually large input payloads
Repeated requests with similar patterns

SIEM Query:

source="application.logs" AND ("trim-newlines" OR "high cpu" OR "timeout")

📊 Metadata

CVE ID: CVE-2021-33623

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: May 28, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1 Patch,Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0007/ Third Party Advisory
https://www.npmjs.com/package/trim-newlines Product
https://github.com/sindresorhus/trim-newlines/releases/tag/v4.0.1 Patch,Release Notes
https://lists.debian.org/debian-lts-announce/2022/12/msg00033.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210702-0007/ Third Party Advisory
https://www.npmjs.com/package/trim-newlines Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33623, you might also want to check these: