meteor/meteor

ReDoS Vulnerability Analysis and Fixes

Open

#13933 opened on Sep 18, 2025

View on GitHub
 (10 comments) (0 reactions) (0 assignees)JavaScript (44,781 stars) (5,257 forks)batch import
Project:Testinggood first issueidle

Description

Overview

This document details the analysis and fixes for Regular Expression Denial of Service (ReDoS) vulnerabilities found in the Meteor project's meteor-babel package.

Vulnerabilities Identified

Vulnerability 1: Whitespace Pattern

Location: npm-packages/meteor-babel/test/mocha.js:5949 Original Pattern: /\s+\}$/ Context: .replace(/\s+\}$/, '');

Attack Vectors:

  • ""+" ".repeat(100000)+"◎"
  • ""+" ".repeat(100000)+"!"

Problem: The pattern /\s+\}$/ causes catastrophic backtracking when input contains many whitespace characters followed by a non-} character at the end.

Vulnerability 2: Number Pattern

Location: npm-packages/meteor-babel/test/mocha.js:6005 Original Pattern: /(\d+\.\d+)/gm Context: .replace(/(\d+\.\d+)/gm, '<span class="number">$1</span>')

Attack Vectors:

  • ""+"0".repeat(100000)+"."
  • ""+"1".repeat(100000)+"◎"

Problem: The pattern /(\d+\.\d+)/gm causes excessive backtracking when input contains many digits followed by a dot but no digits after.

Fixes Using Negative Lookahead

Fix 1: Whitespace Pattern

// Original (vulnerable)
.replace(/\s+\}$/, '');

// Fixed using positive lookahead
.replace(/\s+(?=\}$)/, '');

Explanation: The positive lookahead (?=\}$) ensures we only match whitespace that is immediately followed by } at the end, preventing backtracking on non-matching endings.

Fix 2: Number Pattern

// Original (vulnerable)
.replace(/(\d+\.\d+)/gm, '<span class="number">$1</span>')

// Fixed using negative lookahead
.replace(/(\d+\.\d+)(?!\d)/gm, '<span class="number">$1</span>')

Explanation: The negative lookahead (?!\d) ensures we don't match if there's another digit after the decimal number, making the pattern more precise and preventing backtracking.

Security Impact

  • Severity: Medium
  • Attack Vector: Malicious input strings
  • Impact: CPU exhaustion, application freeze, denial of service
  • Affected Component: Test files (potential risk if patterns used in production)

Testing the Fixes

Before Fix (Vulnerable)

// This will cause high CPU usage
const maliciousInput = " ".repeat(100000) + "◎";
const result = maliciousInput.replace(/\s+\}$/, '');

After Fix (Safe)

// This executes quickly
const maliciousInput = " ".repeat(100000) + "◎";  
const result = maliciousInput.replace(/\s+(?=\}$)/, '');

Recommendations

  1. Immediate: Apply the proposed fixes to prevent ReDoS attacks
  2. Long-term: Implement regex security scanning in CI/CD pipeline
  3. Best Practice: Use tools like safe-regex to detect vulnerable patterns
  4. Code Review: Include regex security checks in code review process

References

Contributor guide

Tech stack
javascriptnodejs
Domain
securitybackend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
basic JavaScriptregular expressionssecurity fundamentals
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Review the vulnerable regex patterns in `npm packages/meteor babel/test/mocha.js` at lines 5949 and 6005. Apply the proposed fixes using positive and negative lookaheads as described in the issue. Test with the provided malicious inputs to verify the fix prevents ReDoS. Optionally, consider implementing regex security scanning in CI/CD as recommended in the issue.