Executive Summary

This vulnerability exists in LiquidJS versions 10.25.7 and below, specifically in the built-in strip_html filter. The filter uses a regular expression with four flawed lazy-quantified alternatives that cause Regular Expression Denial of Service (ReDoS) through quadratic backtracking.

When the input contains many opening tokens like <script, <style, or <!-- without matching closing tokens, the V8 regex engine performs backtracking that grows quadratically with the input size. This leads to blocking of the Node.js event loop.

For example, a single crafted request of about 350 KB containing repeated '<script' strings can stall the process for approximately 10 seconds. The CPU cost increases quadratically as the input size grows.

Additionally, the default memoryLimit setting does not limit the CPU usage caused by the regex, allowing an attacker to cause severe event-loop blocking and CPU saturation with a single unauthenticated request containing crafted input.

This vulnerability was fixed in LiquidJS version 10.26.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause severe denial of service by blocking the Node.js event loop, which can stall the application for several seconds or longer depending on the input size.

An attacker can send a single unauthenticated request with crafted input to cause high CPU usage and saturate Node.js workers, effectively making the application unresponsive.

Because the regex CPU usage is unbounded and not limited by memory settings, this can lead to resource exhaustion and potential downtime or degraded performance of services relying on LiquidJS.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or event-loop blocking in Node.js processes running LiquidJS versions 10.25.7 and below. Specifically, look for processes that stall or become unresponsive when processing inputs containing many '<script', '<style', or '<!--' tokens without matching closers.

You can attempt to reproduce the issue by sending a crafted request containing a large number of repeated '<script' tokens (e.g., a string repeated 50,000 times) to the affected service and observe if the Node.js event loop is blocked or CPU usage spikes significantly.

While no specific commands are provided in the context, general commands to monitor Node.js process performance include:

• Using top or htop to observe CPU usage: `top -p <node_process_pid>`
• Using Node.js built-in diagnostics or profiling tools to detect event loop delays.
• Using network monitoring tools to detect unusually large or malformed requests containing many '<script' tokens.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade LiquidJS to version 10.26.0 or later, where the issue has been fixed.

Until the upgrade can be applied, consider implementing input validation or sanitization to block or limit inputs containing excessive '<script', '<style', or '<!--' tokens that could trigger the regex backtracking.

Additionally, monitor and limit request sizes and rate-limit requests to reduce the risk of denial-of-service caused by crafted inputs.

Useful 0 Not Useful 0