CVE-2021-40899 – CVE-2021-40899 is a Regular Expression Denial o... (How to Fix)

Q: What is the severity of CVE-2021-40899?

CVE-2021-40899 has a CVSS score of 7.5 (HIGH). CVE-2021-40899 is a Regular Expression Denial of Service (ReDoS) vulnerability in repo-git-downloader v0.1.1 that allows attackers to cause excessive CPU consumption and service unavailability by providing specially crafted invalid git repositories. This affects any application or service using the vulnerable version of repo-git-downloader to download git repositories.

📋 TL;DR

CVE-2021-40899 is a Regular Expression Denial of Service (ReDoS) vulnerability in repo-git-downloader v0.1.1 that allows attackers to cause excessive CPU consumption and service unavailability by providing specially crafted invalid git repositories. This affects any application or service using the vulnerable version of repo-git-downloader to download git repositories.

💻 Affected Systems

Products:

repo-git-downloader

Versions: v0.1.1

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using repo-git-downloader v0.1.1 to download git repositories from untrusted sources.

📦 What is this software?

Repo Git Downloader by Repo Git Downloader Project

View all CVEs affecting Repo Git Downloader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting dependent services and causing extended downtime.

🟠

Likely Case

Degraded performance or temporary service disruption when processing malicious git repository URLs.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place.

🌐 Internet-Facing: HIGH if the vulnerable component is exposed to untrusted users who can trigger git downloads.

🏢 Internal Only: MEDIUM if only internal users can trigger downloads, but could still cause service disruption.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to trigger git repository downloads with malicious input. The vulnerability is in the regular expression pattern matching.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.1.2 or later

Vendor Advisory: https://github.com/yetingli/SaveResults/blob/main/js/repo-git-downloader.js

Restart Required: Yes

Instructions:

1. Update repo-git-downloader to v0.1.2 or later using npm update repo-git-downloader. 2. Restart any services using the library. 3. Verify the update with npm list repo-git-downloader.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of git repository URLs before passing to repo-git-downloader.

Rate Limiting

all

Implement rate limiting on git download endpoints to prevent DoS attacks.

🧯 If You Can't Patch

Implement WAF rules to block suspicious git repository URLs containing complex patterns.
Monitor CPU usage and implement automatic throttling when abnormal patterns are detected.

🔍 How to Verify

Check if Vulnerable:

Check package.json or run npm list repo-git-downloader to see if version 0.1.1 is installed.

Check Version:

npm list repo-git-downloader | grep repo-git-downloader

Verify Fix Applied:

Verify repo-git-downloader version is 0.1.2 or higher using npm list repo-git-downloader.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for git downloads
High CPU usage spikes during repository downloads
Failed git download requests with malformed URLs

Network Indicators:

Multiple rapid requests to git download endpoints
Requests with unusually long or complex git repository URLs

SIEM Query:

source="application.logs" AND ("git-download" OR "repo-git-downloader") AND (duration>10s OR cpu_usage>90)

📊 Metadata

CVE ID: CVE-2021-40899

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: June 27, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/yetingli/SaveResults/blob/main/js/repo-git-downloader.js Exploit,Third Party Advisory
https://github.com/yetingli/SaveResults/blob/main/js/repo-git-downloader.js Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40899, you might also want to check these: