Skip to content

fix: GHSA-cjw9-ghj4-fwxf CVE-2026-35041 ReDoS when using RegExp in allowed options#595

Merged
antoatta85 merged 8 commits intomasterfrom
fix/ReDoS-with-regexp-in-allowed
Apr 9, 2026
Merged

fix: GHSA-cjw9-ghj4-fwxf CVE-2026-35041 ReDoS when using RegExp in allowed options#595
antoatta85 merged 8 commits intomasterfrom
fix/ReDoS-with-regexp-in-allowed

Conversation

@antoatta85
Copy link
Copy Markdown
Collaborator

@antoatta85 antoatta85 commented Apr 3, 2026

fix: reject unsafe RegExp patterns in allowed* options to prevent ReDoS

Adds a construction-time check in createVerifier() that throws an invalidOption error if any of the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options contain a RegExp with nested quantifiers (e.g. (a+)+, (a*)+, (\w+)+), which are the primary class of patterns susceptible to catastrophic backtracking (CWE-1333).

The error is raised eagerly at verifier creation time, before any token is ever processed, so no attacker-controlled input can trigger the backtracking.

String values and safe RegExp patterns are unaffected.

Changes

  • src/verifier.js: added unsafeRegExpPattern constant and checkForUnsafeRegExp() helper; called for all five allowed* options during option validation in createVerifier()
  • test/verifier.spec.js: added 9 tests covering unsafe patterns across all five options, mixed arrays, various pattern variants, safe patterns that must not throw, and a normal verification round-trip with a safe RegExp

FIXES #594

@martin-badin
Copy link
Copy Markdown

martin-badin commented Apr 8, 2026

@antoatta85 Could you fix this build?

SociableSteve
SociableSteve reviewed Apr 8, 2026
View reviewed changes
Comment thread src/verifier.js Outdated
SociableSteve
SociableSteve requested changes Apr 8, 2026
View reviewed changes
Comment thread src/verifier.js Outdated
Comment thread src/verifier.js
@antoatta85 antoatta85 requested a review from SociableSteve April 9, 2026 09:57
@antoatta85 antoatta85 merged commit b0be0ca into master Apr 9, 2026
7 checks passed
@antoatta85 antoatta85 deleted the fix/ReDoS-with-regexp-in-allowed branch April 9, 2026 10:41
@optic-release-automation optic-release-automation bot mentioned this pull request Apr 9, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SociableSteve SociableSteve SociableSteve approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Address Sec Adv: ReDoS with regex in allowed option

3 participants

@antoatta85 @martin-badin @SociableSteve