CVE-2025-7579
BaseFortify
Publication date: 2025-07-14
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chinese-poetry | chinese-poetry | 0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7579 is a Regular Expression Denial of Service (ReDoS) vulnerability in the chinese-poetry project version 0.1, specifically in the rank/server.js file. The vulnerability arises from an inefficient regular expression used to strip <script> and <style> tags from input. This regex can be exploited by a specially crafted malicious string containing many partial opening tags without closing tags, causing catastrophic backtracking in the regex engine. This leads to excessive CPU usage, blocking the Node.js event loop and making the application unresponsive, resulting in a denial of service. [1, 3]
How can this vulnerability impact me? :
This vulnerability can cause the affected application to become unresponsive due to excessive CPU consumption triggered by malicious input. An attacker can remotely exploit this by sending specially crafted strings that cause the regular expression to perform catastrophic backtracking, effectively causing a Denial of Service (DoS) by blocking the Node.js event loop and making the service unavailable to legitimate users. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for high CPU usage or unresponsiveness in the Node.js application using the vulnerable chinese-poetry 0.1 version, specifically when processing inputs that contain many partial <script> or <style> tags without closing tags. Detection can involve sending crafted test strings that mimic the attack patterns, such as repeated partial tags, to see if the application hangs or consumes excessive CPU. Example test strings include repeated '<style' or '<script' tags. Commands to detect this might include using curl or similar tools to send these payloads to the affected service endpoint and monitoring the process with system tools like 'top' or 'htop' for CPU spikes. For example: 1) Use curl to send a crafted payload: curl -X POST -d "$(printf '<style%.0s' {1..100000})>" http://target-service/path 2) Monitor CPU usage with: top or htop 3) Check Node.js process responsiveness. Note that no specific detection commands are provided in the resources, but these approaches align with the described attack vectors and symptoms. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patched regular expression to the vulnerable code in rank/server.js to prevent catastrophic backtracking. The fix involves replacing the original regex with one that uses a negative lookahead to avoid exponential backtracking, specifically changing from /<(script|style)[^>]*>[\s\S]*?<\/\1>/g to /<(script|style)[^>]*>(?:(?!<\/\1>)[\s\S])*?<\/\1>/g. If patching is not immediately possible, consider restricting or sanitizing inputs to avoid maliciously crafted strings with many partial tags, or temporarily replacing the vulnerable component with an alternative product. Monitoring and limiting resource usage may also help mitigate impact until a fix is applied. [3, 2]