CVE-2021-40897 – CVE-2021-40897 is a Regular Expression Denial o... (How to Fix)

Q: What is the severity of CVE-2021-40897?

CVE-2021-40897 has a CVSS score of 7.5 (HIGH). CVE-2021-40897 is a Regular Expression Denial of Service (ReDoS) vulnerability in split-html-to-chars v1.0.5 that allows attackers to cause denial of service by providing specially crafted invalid HTML input. This affects any application using this vulnerable JavaScript library to parse HTML content.

📋 TL;DR

CVE-2021-40897 is a Regular Expression Denial of Service (ReDoS) vulnerability in split-html-to-chars v1.0.5 that allows attackers to cause denial of service by providing specially crafted invalid HTML input. This affects any application using this vulnerable JavaScript library to parse HTML content.

💻 Affected Systems

Products:

split-html-to-chars

Versions: v1.0.5

Operating Systems: All platforms running Node.js/JavaScript

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the split-html-to-chars library to process HTML content. The vulnerability is in the regular expression pattern used for HTML splitting.

📦 What is this software?

Split Html To Chars by Split Html To Chars Project

View all CVEs affecting Split Html To Chars →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion from processing malicious HTML input, potentially affecting all users of the application.

🟠

Likely Case

Degraded performance or temporary service disruption for users processing HTML content through the vulnerable library.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - Any web application using this library to process user-submitted HTML is vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal applications using the library could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTML input to applications using the vulnerable library. The PoC demonstrates how to create input that triggers catastrophic backtracking in the regex engine.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.6 or later

Vendor Advisory: https://github.com/yetingli/SaveResults/blob/main/js/split-html-to-chars.js

Restart Required: Yes

Instructions:

1. Update split-html-to-chars to v1.0.6 or later using npm update split-html-to-chars. 2. Restart any Node.js applications using this library. 3. Verify the update by checking package.json or running npm list split-html-to-chars.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject malformed HTML before it reaches the split-html-to-chars library.

Resource Limiting

all

Configure process timeouts and memory limits to prevent complete DoS from regex processing.

// Node.js example: process.setMaxListeners(Infinity); // Increase default limits
// Use --max-old-space-size flag for memory limits

🧯 If You Can't Patch

Implement WAF rules to block HTML input patterns that trigger ReDoS vulnerabilities
Rate limit HTML processing endpoints to prevent mass exploitation

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list split-html-to-chars to see if version 1.0.5 is installed.

Check Version:

npm list split-html-to-chars | grep split-html-to-chars

Verify Fix Applied:

Verify split-html-to-chars version is 1.0.6 or higher using npm list split-html-to-chars.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for HTML content
High CPU usage spikes in Node.js processes
Process crashes or timeouts when handling HTML input

Network Indicators:

Repeated requests with malformed HTML patterns
Unusually large HTML payloads to processing endpoints

SIEM Query:

source="application.log" AND ("split-html-to-chars" OR "HTML processing") AND (duration>5000 OR "timeout" OR "CPU spike")

📊 Metadata

CVE ID: CVE-2021-40897

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/yetingli/SaveResults/blob/main/js/split-html-to-chars.js Exploit,Third Party Advisory
https://github.com/yetingli/SaveResults/blob/main/js/split-html-to-chars.js Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40897, you might also want to check these: