CVE-2023-43646
📋 TL;DR
CVE-2023-43646 is a regular expression denial of service (ReDoS) vulnerability in the get-func-name npm module. It allows attackers to cause denial of service by sending specially crafted input that triggers excessive backtracking in the module's regular expression parser. This affects any application using vulnerable versions of get-func-name to parse function names from user-controlled input.
💻 Affected Systems
- get-func-name npm module
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting all users of the vulnerable application.
Likely Case
Degraded performance or temporary service disruption for affected endpoints that process malicious input.
If Mitigated
Minimal impact if input validation or rate limiting prevents malicious payloads from reaching the vulnerable function.
🎯 Exploit Status
The exact exploit string is publicly documented: '\t'.repeat(54773) + '\t/function/i'. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.1 and later
Vendor Advisory: https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
Restart Required: Yes
Instructions:
1. Update package.json to specify get-func-name version 2.0.1 or higher. 2. Run 'npm update get-func-name' or 'yarn upgrade get-func-name'. 3. Restart the application to load the updated module.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to reject or sanitize inputs containing excessive tabs or unbalanced parentheses before they reach get-func-name.
🧯 If You Can't Patch
- Implement rate limiting on endpoints that use get-func-name to prevent repeated exploitation attempts.
- Deploy web application firewalls (WAF) with ReDoS protection rules to block malicious patterns.
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for get-func-name version. If version is below 2.0.1, the system is vulnerable.Check Version:
npm list get-func-name | grep get-func-nameVerify Fix Applied:
After updating, verify the installed version with 'npm list get-func-name' and confirm it shows 2.0.1 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage spikes
- Increased processing time for function name parsing operations
- Application timeouts or crashes
Network Indicators:
- Multiple requests containing patterns of repeated tabs followed by '/function/i'
SIEM Query:
source="application_logs" AND (message:"CPU spike" OR message:"timeout") AND process:"node"🔗 References
- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
- https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
- https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
