CVE-2023-26115 Overview
CVE-2023-26115 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting all versions of the word-wrap npm package. The vulnerability exists due to the usage of an insecure regular expression within the result variable of the package's core functionality. When processing specially crafted input strings, attackers can cause catastrophic backtracking in the regex engine, leading to excessive CPU consumption and potential service disruption.
Critical Impact
Applications using the word-wrap package can be rendered unresponsive through malicious input, causing denial of service conditions that affect availability of Node.js applications and services.
Affected Products
- word-wrap (all versions prior to 1.2.4) for Node.js
- org.webjars.npm:word-wrap (Java WebJars distribution)
- Any application with word-wrap as a direct or transitive dependency
Discovery Timeline
- June 22, 2023 - CVE-2023-26115 published to NVD
- February 13, 2025 - Last updated in NVD database
Technical Details for CVE-2023-26115
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity). The word-wrap package is a popular utility used for wrapping text at a specified column width, commonly employed in CLI tools, documentation generators, and text formatting applications.
The vulnerable code path is triggered when the package processes input through its text wrapping functionality. The regular expression used within the result variable exhibits polynomial or exponential time complexity when evaluated against certain input patterns. This is a classic ReDoS condition where the regex engine enters a state of catastrophic backtracking.
Attackers can exploit this vulnerability remotely by providing malicious input to any application endpoint that processes user-controlled strings through the word-wrap package. No authentication is required, and the attack can be executed over the network, making it particularly dangerous for publicly accessible applications.
Root Cause
The root cause of this vulnerability lies in the design of a regular expression pattern within the word-wrap package's index.js file at line 39. The regex contains nested quantifiers or overlapping alternations that allow the regex engine to explore an exponentially growing number of possible matches when processing adversarial input. This computational inefficiency is inherent to many regex engines that use backtracking algorithms, and can be triggered by input strings specifically crafted to maximize backtracking operations.
Attack Vector
The attack vector for CVE-2023-26115 is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying an application that uses the word-wrap package to process user-supplied input
- Crafting a malicious string designed to trigger catastrophic backtracking in the vulnerable regex
- Submitting this payload through any input mechanism (HTTP request, API call, form submission, etc.)
- The application's CPU becomes saturated processing the regex, causing service degradation or complete denial of service
The vulnerability affects the availability of the system but does not compromise confidentiality or integrity of data. Due to the network accessibility and lack of required privileges, this vulnerability is particularly impactful for public-facing Node.js applications.
Detection Methods for CVE-2023-26115
Indicators of Compromise
- Abnormally high CPU utilization on Node.js application servers without corresponding increase in legitimate traffic
- Application process hangs or timeouts occurring specifically in text processing operations
- Repeated requests containing unusually long or specially formatted strings targeting text wrapping functionality
- Log entries showing request timeouts or process terminations in modules related to text formatting
Detection Strategies
- Implement Software Composition Analysis (SCA) scanning to identify word-wrap dependencies in your codebase using tools like npm audit, Snyk, or OWASP Dependency-Check
- Monitor application performance metrics for sudden CPU spikes that correlate with specific request patterns
- Deploy Web Application Firewall (WAF) rules to detect and block requests containing potential ReDoS payloads
- Use static analysis tools that can identify vulnerable regex patterns in your application's dependencies
Monitoring Recommendations
- Set up alerting for CPU utilization thresholds on Node.js application processes
- Implement request timeout monitoring to detect hanging requests that may indicate ReDoS exploitation attempts
- Review application logs for patterns of failed or timed-out requests, particularly those involving text processing endpoints
- Monitor dependency vulnerability databases for updates related to word-wrap and similar text processing libraries
How to Mitigate CVE-2023-26115
Immediate Actions Required
- Upgrade the word-wrap package to version 1.2.4 or later, which contains the security fix for this vulnerability
- Run npm audit or equivalent package auditing tools to identify all instances of vulnerable word-wrap versions in your dependency tree
- Review transitive dependencies that may include word-wrap as an indirect dependency
- Implement input validation and length limits on user-supplied strings before processing through text wrapping functions
Patch Information
The word-wrap maintainers have released version 1.2.4 which addresses this ReDoS vulnerability. The patch information is available in the GitHub Release Notes. Organizations should update their package.json dependencies to require word-wrap@^1.2.4 or later.
For Java applications using the WebJars distribution, update to the corresponding patched version through your Maven or Gradle configuration.
Additional security guidance is available from Snyk's JavaScript vulnerability advisory and NetApp's Security Advisory.
Workarounds
- Implement input length restrictions on any user-supplied strings before they reach the word-wrap function to limit the potential for ReDoS exploitation
- Use request timeout mechanisms to terminate long-running operations that may indicate a ReDoS attack in progress
- Consider using alternative text wrapping libraries that have been audited for regex safety until the package can be updated
- Deploy rate limiting on endpoints that process user text to reduce the impact of potential exploitation attempts
# Update word-wrap to patched version
npm update word-wrap
# Verify the installed version is 1.2.4 or later
npm list word-wrap
# Run security audit to check for remaining vulnerabilities
npm audit
# Force resolution of transitive dependencies (if using npm 8.3+)
npm pkg set overrides.word-wrap="^1.2.4"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
