CVE-2021-23343 Overview
CVE-2021-23343 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting all versions of the path-parse npm package. The vulnerability exists in the splitDeviceRe, splitTailRe, and splitPathRe regular expressions used for parsing file paths. When processing maliciously crafted input strings, these regular expressions exhibit polynomial worst-case time complexity, allowing attackers to cause significant CPU resource exhaustion and application hangs.
Critical Impact
Attackers can exploit this vulnerability to cause denial of service conditions in Node.js applications by sending specially crafted path strings that trigger catastrophic backtracking in the vulnerable regular expressions, potentially rendering the application unresponsive.
Affected Products
- path-parse (all versions) for Node.js
- Applications using path-parse as a dependency
- WebJars npm packages containing path-parse (SNYK-JAVA-ORGWEBJARSNPM-1279028)
Discovery Timeline
- 2021-05-04 - CVE-2021-23343 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23343
Vulnerability Analysis
The path-parse package provides functionality to parse file paths into their constituent components (root, dir, base, ext, name). The vulnerability stems from inefficient regular expression patterns used internally for parsing operations. When these regular expressions process input strings containing certain character sequences, they enter a state of catastrophic backtracking.
ReDoS vulnerabilities occur when regular expressions can be manipulated to run in exponential or polynomial time rather than linear time. In the case of path-parse, the affected regular expressions (splitDeviceRe, splitTailRe, and splitPathRe) contain overlapping patterns that cause the regex engine to explore an exponentially growing number of possible matches when fed adversarial input.
The network attack vector combined with no required privileges means that any unauthenticated remote attacker can send malicious input to an application using path-parse, potentially causing denial of service. The primary impact is availability degradation, as the CPU becomes tied up processing the malicious regex operations.
Root Cause
The root cause is the use of regular expressions with nested quantifiers and overlapping alternations in the path parsing logic. These pattern constructs are known to be vulnerable to ReDoS attacks because they create ambiguous matching scenarios where the regex engine must backtrack extensively to determine the correct match.
The vulnerable regular expressions contain constructs that, when given carefully crafted input strings, force the JavaScript regex engine into a polynomial-time matching operation. This is a classic example of algorithmic complexity attack where the computational cost grows polynomially with input length.
Attack Vector
An attacker can exploit this vulnerability by sending a specially crafted path string to any application function that processes paths using the vulnerable path-parse package. The attack requires no authentication and can be conducted remotely over the network. Common attack scenarios include:
- Submitting malicious file paths through file upload forms
- Sending crafted path strings via API endpoints that process file paths
- Injecting malicious paths through URL parameters or query strings
- Any user-controlled input that eventually gets processed by path-parse
The attack causes the application's event loop to block while the regex engine attempts to process the malicious input, effectively causing a denial of service condition.
Detection Methods for CVE-2021-23343
Indicators of Compromise
- Unusual CPU spikes in Node.js application processes
- Application response time degradation when processing path-related operations
- Event loop blocking or application hangs during file path parsing
- Increased memory usage patterns correlated with path parsing functions
Detection Strategies
- Monitor Node.js application performance metrics for CPU exhaustion patterns
- Implement request timeout mechanisms to detect and terminate long-running path operations
- Use application performance monitoring (APM) tools to track regex execution time
- Review application logs for patterns indicating slow path parsing operations
- Scan dependencies using npm audit or tools like Snyk to identify vulnerable path-parse versions
Monitoring Recommendations
- Set up alerts for abnormal CPU utilization in Node.js processes
- Implement request-level timeouts to prevent indefinite blocking
- Monitor event loop lag metrics to detect potential ReDoS exploitation
- Track and alert on unusual patterns in path-related API endpoints
- Enable detailed logging for path parsing operations in production environments
How to Mitigate CVE-2021-23343
Immediate Actions Required
- Audit your application dependencies for path-parse usage with npm ls path-parse
- Update to the latest patched version of path-parse if available
- Implement input validation to limit path string length before processing
- Apply request timeouts to prevent long-running operations from blocking the application
- Consider using Node.js built-in path module as an alternative where possible
Patch Information
The vulnerability affects all versions of path-parse. Organizations should check the GitHub Issue Discussion for the latest patch status and updates from the maintainer. Security advisories are available through Snyk JS Vulnerability Database and Snyk Java Vulnerability Database for WebJars users.
Workarounds
- Implement strict input length validation for any user-controlled path strings before passing to path-parse
- Use request timeout middleware to automatically terminate requests that exceed reasonable processing time
- Consider replacing path-parse with Node.js native path.parse() function which is not affected
- Implement rate limiting on endpoints that process file paths to reduce attack surface
- Deploy Web Application Firewall (WAF) rules to detect and block suspiciously long path strings
# Check for vulnerable path-parse in your project
npm ls path-parse
# Audit dependencies for known vulnerabilities
npm audit
# Update to latest version if patch is available
npm update path-parse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
