CVE-2021-3807 Overview
CVE-2021-3807 is a Regular Expression Denial of Service (ReDoS) vulnerability in the ansi-regex package for Node.js. The vulnerability stems from an inefficient regular expression pattern that can be exploited to cause catastrophic backtracking when processing specially crafted input strings. This can lead to significant CPU resource exhaustion and denial of service conditions in applications that rely on ansi-regex for stripping ANSI escape codes from strings.
Critical Impact
Applications using vulnerable versions of ansi-regex can be rendered unresponsive through crafted input strings that trigger exponential regex backtracking, leading to denial of service conditions in Node.js environments.
Affected Products
- ansi-regex versions prior to 5.0.1 (for 5.x branch)
- ansi-regex versions prior to 6.0.1 (for 6.x branch)
- Oracle Communications Cloud Native Core Policy 1.15.0
Discovery Timeline
- 2021-09-17 - CVE CVE-2021-3807 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3807
Vulnerability Analysis
The ansi-regex package provides a regular expression for matching ANSI escape codes in strings. The vulnerability exists in the regex pattern used to identify these escape sequences. The original pattern contained nested quantifiers and alternations that could lead to catastrophic backtracking when processing malicious input.
When the regex engine encounters certain crafted strings, it attempts to match the pattern through an exponentially increasing number of possible paths. This behavior, known as ReDoS (Regular Expression Denial of Service), can cause the Node.js event loop to block for extended periods, effectively denying service to legitimate requests.
The vulnerability affects any application that processes untrusted input through the ansi-regex pattern, including CLI tools, logging systems, and web applications that handle terminal output.
Root Cause
The root cause is an inefficient regular expression pattern with problematic nested quantifiers. The original pattern [a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)* allowed for ambiguous matching paths that the regex engine would explore exhaustively when given adversarial input. The combination of the * quantifier applied to character classes within nested groups created exponential time complexity.
Attack Vector
An attacker can exploit this vulnerability by sending specially crafted strings containing sequences that trigger catastrophic backtracking in the regex engine. This is a network-accessible attack requiring no authentication or user interaction, making it particularly dangerous for public-facing applications.
The attack requires the ability to provide input that gets processed by the ansi-regex pattern. Common attack surfaces include:
- Command-line argument processing
- Log message handling
- API endpoints that process terminal-formatted text
- Web sockets or real-time messaging systems
export default function ansiRegex({onlyFirst = false} = {}) {
const pattern = [
- '[\\\u001B\\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\\u0007)',
+ '[\\\u001B\\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))
].join('|');
Source: GitHub Commit
Detection Methods for CVE-2021-3807
Indicators of Compromise
- Unusual CPU spikes in Node.js processes handling string input
- Blocked or unresponsive event loops in application monitoring
- Timeouts in request processing with no obvious cause
- Memory pressure increases accompanying high CPU utilization
Detection Strategies
- Implement Software Composition Analysis (SCA) scanning to identify vulnerable ansi-regex versions in your dependency tree
- Monitor Node.js process CPU utilization for sustained spikes during input processing
- Use application performance monitoring (APM) tools to detect event loop blocking
- Review package-lock.json or yarn.lock files for vulnerable versions of ansi-regex
Monitoring Recommendations
- Set up alerts for Node.js process CPU utilization exceeding normal thresholds
- Monitor request latency metrics for sudden increases
- Implement timeout mechanisms for string processing operations
- Use npm audit or similar dependency scanning tools in CI/CD pipelines
How to Mitigate CVE-2021-3807
Immediate Actions Required
- Upgrade ansi-regex to version 5.0.1 or later (for 5.x users)
- Upgrade ansi-regex to version 6.0.1 or later (for 6.x users)
- Run npm audit fix to automatically resolve dependency vulnerabilities
- Review and update transitive dependencies that may include vulnerable ansi-regex versions
Patch Information
The vulnerability has been addressed in ansi-regex versions 5.0.1 and 6.0.1. The fix modifies the regular expression pattern to eliminate the nested quantifier issue that caused catastrophic backtracking. The patch can be reviewed in the GitHub commit. Oracle has also addressed this vulnerability in their products through the April 2022 Critical Patch Update.
Workarounds
- Implement input length limits on strings processed by ansi-regex
- Add timeout mechanisms for regex operations using safe-regex or similar libraries
- Consider using alternative ANSI stripping methods that don't rely on vulnerable regex patterns
- Isolate string processing into worker threads to prevent main event loop blocking
# Upgrade ansi-regex to patched version
npm update ansi-regex
# Or force resolution in package.json (npm 8.3+)
# Add to package.json:
# "overrides": {
# "ansi-regex": "^5.0.1"
# }
# For yarn users, add to package.json:
# "resolutions": {
# "ansi-regex": "^5.0.1"
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
