CVE-2021-3777 Overview
CVE-2021-3777 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the nodejs-tmpl package. This inefficient regular expression complexity vulnerability allows attackers to cause a denial of service by providing specially crafted input that triggers catastrophic backtracking in the template parsing regular expression.
Critical Impact
Remote attackers can cause complete service unavailability by exploiting the vulnerable regular expression pattern, leading to CPU exhaustion and denial of service conditions without requiring any authentication.
Affected Products
- tmpl_project tmpl (Node.js package)
Discovery Timeline
- 2021-09-15 - CVE-2021-3777 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3777
Vulnerability Analysis
The vulnerability exists in the INTERPOLATE regular expression used for template string parsing in the nodejs-tmpl library. The original regex pattern /{([\s\S]+?)}/g is susceptible to catastrophic backtracking when processing certain malicious input strings. When an attacker supplies input with nested or malformed template delimiters, the regex engine enters an exponential-time matching state, consuming excessive CPU resources and effectively hanging the application.
This type of vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The attack can be executed remotely over the network without requiring authentication or user interaction, making it particularly dangerous for Node.js applications that process untrusted template data.
Root Cause
The root cause lies in the overly permissive character class [\s\S]+? within the interpolation regex. This pattern matches any character including whitespace and non-whitespace, which creates ambiguity in the regex engine's matching process. When combined with the curly brace delimiters, certain input patterns force the regex engine to explore an exponential number of possible matches before determining failure.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can send crafted input strings containing sequences of opening braces or nested template-like structures to any endpoint that processes user-supplied data through the tmpl templating function. The malicious payload causes the regex engine to perform excessive backtracking, blocking the event loop and rendering the application unresponsive.
// Security patch from lib/tmpl.js - fix potential dos in regex
// Before (vulnerable):
-var INTERPOLATE = /{([\s\S]+?)}/g
// After (fixed):
+var INTERPOLATE = /{([^{]+?)}/g
module.exports = function(str, data) {
var tmpl = 'var __p=[],print=function(){__p.push.apply(__p,arguments);};' +
Source: GitHub Commit Update
Detection Methods for CVE-2021-3777
Indicators of Compromise
- Abnormally high CPU utilization on Node.js processes handling template rendering
- Application timeout errors or unresponsive services correlating with template processing requests
- Request logs showing unusually long processing times for endpoints using tmpl templating
- Memory consumption spikes in Node.js worker processes
Detection Strategies
- Monitor application performance metrics for CPU spikes associated with template rendering operations
- Implement request timeout monitoring to detect hung template processing operations
- Use Software Composition Analysis (SCA) tools to identify vulnerable versions of nodejs-tmpl in dependencies
- Configure alerting for event loop blocking conditions in Node.js applications
Monitoring Recommendations
- Set up APM monitoring with specific tracking for template rendering latency
- Implement request duration thresholds with automatic alerting for template endpoints
- Deploy dependency scanning in CI/CD pipelines to detect vulnerable tmpl package versions
- Monitor process-level CPU metrics for Node.js application containers
How to Mitigate CVE-2021-3777
Immediate Actions Required
- Update nodejs-tmpl to a patched version containing commit 4c654e4d1542f329ed561fd95ccd80f30c6872d6
- Audit all applications using tmpl to identify exposure points
- Implement input validation to reject excessively long or malformed template strings
- Consider rate limiting endpoints that process template data
Patch Information
The vulnerability was addressed in the tmpl package through a modification to the INTERPOLATE regular expression. The fix changes the character class from [\s\S]+? (match any character) to [^{]+? (match any character except opening brace), which eliminates the ambiguous backtracking behavior. The security patch is available in the GitHub Commit. Additional details about the vulnerability are documented in the Huntr Bounty Report.
Workarounds
- Implement input length restrictions on data passed to tmpl template functions
- Add request timeout middleware to terminate long-running template operations
- Pre-validate template input to reject strings containing suspicious patterns like repeated brace sequences
- Consider switching to an alternative templating library if immediate patching is not possible
# Configuration example
# Update nodejs-tmpl to patched version
npm update tmpl
# Or explicitly install a specific patched version
npm install tmpl@latest
# Verify installed version
npm list tmpl
# Audit dependencies for known vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
