Login Sign Up

CVE-2021-3804

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-3804 is a regular expression denial-of-service (ReDoS) vulnerability in Taro, a cross-platform development framework. Attackers can cause excessive CPU consumption and service degradation by sending specially crafted input to applications using vulnerable Taro versions. This affects developers and organizations using Taro for web or mobile applications.

💻 Affected Systems

Products:
  • Taro
Versions: Versions before 3.3.12
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Applications using Taro's vulnerable regular expression patterns for input processing are affected.

📦 What is this software?

Taro by Taro

View all CVEs affecting Taro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, leading to denial of service for legitimate users and potential cascading failures in dependent systems.

🟠

Likely Case

Degraded application performance, increased response times, and potential service interruptions affecting user experience.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated versions; performance degradation limited to isolated instances.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious input to endpoints using vulnerable regex patterns; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.12 and later

Vendor Advisory: https://github.com/nervjs/taro/commit/acadb6c826ba57f2030a626f1de4f7b4608fcdb5

Restart Required: Yes

Instructions:

1. Update Taro to version 3.3.12 or later using npm: 'npm update @tarojs/taro'. 2. Rebuild and redeploy your application. 3. Restart any running services using Taro.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject or sanitize inputs that could trigger the vulnerable regex patterns.

Rate Limiting

all

Apply rate limiting to endpoints that process user input to reduce the impact of potential DoS attacks.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block malicious input patterns targeting the vulnerability.
  • Monitor CPU usage and application performance metrics for anomalies indicating exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check your package.json or run 'npm list @tarojs/taro' to see if Taro version is below 3.3.12.

Check Version:

npm list @tarojs/taro | grep @tarojs/taro

Verify Fix Applied:

After updating, verify the version is 3.3.12 or higher with 'npm list @tarojs/taro' and test application functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage spikes
  • Increased error rates or timeouts in application logs
  • Patterns of repeated requests with similar payloads

Network Indicators:

  • High volume of requests to specific endpoints
  • Abnormal request patterns with regex-like strings

SIEM Query:

source="application_logs" AND (cpu_usage > 90% OR error_rate > 10%) AND process="node"

📊 Metadata

CVE ID: CVE-2021-3804
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: September 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3804, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)