GHSA-x4hg-hfwf-p9mwMediumDisclosed before NVD

@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation

Published
July 2, 2026
Last Modified
July 2, 2026

📋 Description

Summary

The HTMLInputElement.checkValidity() method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.

Fix

Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on main. Added:

  • Pattern length limit (1024 characters)
  • Nested quantifier detection (hasNestedQuantifiers) that rejects patterns like (a+)+ before constructing the regex
  • Patterns exceeding limits are treated as non-matching (safe default)

🎯 Affected products1

  • npm/@asymmetric-effort/nogginlessdom:<= 0.0.21

🔗 References (3)