GHSA-x4hg-hfwf-p9mwMediumDisclosed before NVD
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
📋 Description
Summary
The HTMLInputElement.checkValidity() method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.
Fix
Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on main. Added:
- Pattern length limit (1024 characters)
- Nested quantifier detection (
hasNestedQuantifiers) that rejects patterns like(a+)+before constructing the regex - Patterns exceeding limits are treated as non-matching (safe default)
🎯 Affected products1
- npm/@asymmetric-effort/nogginlessdom:<= 0.0.21