CVE-2023-50249 – A Regular Expression Denial of Service (ReDoS) ... (How to Fix)

Q: What is the severity of CVE-2023-50249?

CVE-2023-50249 has a CVSS score of 7.5 (HIGH). A Regular Expression Denial of Service (ReDoS) vulnerability in Sentry's Astro SDK allows attackers to cause excessive server computation times, leading to denial of service. This affects users of Sentry-Javascript Astro SDK versions 7.78.0 through 7.86.0. The vulnerability has been patched in version 7.87.0.

📋 TL;DR

A Regular Expression Denial of Service (ReDoS) vulnerability in Sentry's Astro SDK allows attackers to cause excessive server computation times, leading to denial of service. This affects users of Sentry-Javascript Astro SDK versions 7.78.0 through 7.86.0. The vulnerability has been patched in version 7.87.0.

💻 Affected Systems

Products:

Sentry-Javascript Astro SDK

Versions: 7.78.0 to 7.86.0

Operating Systems: All platforms running JavaScript/Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Astro SDK component of Sentry-Javascript. Other Sentry SDKs are not affected.

📦 What is this software?

Astro by Sentry

View all CVEs affecting Astro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance and intermittent service disruptions under targeted attack.

🟢

If Mitigated

Minimal impact with proper monitoring and rate limiting in place.

🌐 Internet-Facing: HIGH - Publicly accessible services using vulnerable SDK are directly exposed to DoS attacks.

🏢 Internal Only: MEDIUM - Internal services could be affected by internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ReDoS vulnerabilities typically require sending specially crafted input to trigger the vulnerable regex pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.87.0

Vendor Advisory: https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72

Restart Required: Yes

Instructions:

1. Update package.json to use sentry/astro version 7.87.0 or higher. 2. Run npm update or yarn upgrade. 3. Restart your application server.

🔧 Temporary Workarounds

Rate Limiting

all

Implement rate limiting on endpoints that process user input to reduce impact of DoS attempts.

Input Validation

all

Add strict input validation and length limits on user-supplied data before processing.

🧯 If You Can't Patch

Implement WAF rules to block suspicious regex patterns
Monitor CPU usage and set up alerts for abnormal spikes

🔍 How to Verify

Check if Vulnerable:

Check package.json or package-lock.json for sentry/astro version between 7.78.0 and 7.86.0

Check Version:

npm list @sentry/astro or check package.json

Verify Fix Applied:

Verify sentry/astro version is 7.87.0 or higher in package.json and dependencies

📡 Detection & Monitoring

Log Indicators:

Unusually high CPU usage
Slow response times
Process timeouts

Network Indicators:

Spike in request volume to specific endpoints
Repeated patterns in request payloads

SIEM Query:

source="application_logs" AND (message="CPU spike" OR message="timeout" OR message="slow response")

📊 Metadata

CVE ID: CVE-2023-50249

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: December 20, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50249, you might also want to check these: