Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation #9091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation #9091

wants to merge 2 commits into from

Conversation

@mmmsssttt404
Copy link

Description

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

video.js/build/jsdoc-typeof-plugin.js

Line 6 in 3380d33

event.comment = (event.comment || '').replace(/\{.*typeof\s+([^\s\|]+).*\}/g, typeExpression => {

gist:https://gist.github.com/mmmsssttt404/2115fe1bbc0afdecda2128d5084b18a0

屏幕截图 2025-08-19 215415 
1.git clone https://github.com/mmmsssttt404/video.js.git
2.cd video.js
3.npm install
4.npx qunit test/build/jsdoc-typeof-plugin.test.js
5.npm test

Specific Changes proposed

Please list the specific changes involved in this pull request.

change regex to:
https://github.com/mmmsssttt404/video.js/blob/d9ae655a3710d42adeb7e7be31fe316515ccf801/build/jsdoc-typeof-plugin.js#L6

then:
屏幕截图 2025-08-20 114636
屏幕截图 2025-08-20 114810

Requirements Checklist

  • Feature implemented / Bug fixed
  • If necessary, more likely in a feature request than a bug fix
    • Change has been verified in an actual browser (Chrome, Firefox, IE)
    • Unit Tests updated or fixed
    • Docs/guides updated
    • Example created (starter template on JSBin)
    • Has no DOM changes which impact accessiblilty or trigger warnings (e.g. Chrome issues tab)
    • Has no changes to JSDoc which cause npm run docs:api to error
  • Reviewed by Two Core Contributors

@welcome
Copy link

welcome bot commented Aug 20, 2025

💖 Thanks for opening this pull request! 💖

Things that will help get your PR across the finish line:

  • Run npm run lint -- --errors locally to catch formatting errors earlier.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@mmmsssttt404
Copy link
Author

Benchmarks show clear quadratic growth with input size, not linear. Even at ~100k chars, runtime reaches several seconds. ReDoS does not require exponential blowup — quadratic behavior is already recognized as exploitable|
redos_result (12)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mmmsssttt404