Denial of Service in decode-uri-component

Executive Summary

CVE-2026-45822 is a denial of service vulnerability in the decode-uri-component library through version 0.4.1. The vulnerability arises because the decode() function splits input on '%' characters, producing N tokens and calling decodeComponents(), which results in super-linear parsing time. For example, 200 '%ab' tokens take approximately 0.7 seconds to process, 700 tokens take about 6 seconds, and 1400 tokens take around 33 seconds. This inefficient parsing allows an attacker to craft input that causes significant CPU consumption and blocks the event loop.

Additionally, the vulnerability involves improper handling of multi-byte sequences during URI component decoding, where malformed or incomplete sequences can cause unexpected behavior or security risks due to insufficient validation or error handling.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service condition in applications using the decode-uri-component library. By sending specially crafted input containing many percent-encoded tokens, the attacker can cause excessive CPU usage and block the event loop, potentially making the application unresponsive or significantly degraded in performance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes super-linear CPU consumption and event-loop blocking when processing crafted inputs with many percent-encoded tokens. Detection can focus on identifying unusually high CPU usage or delays in systems using decode-uri-component versions through 0.4.1.

One approach is to monitor for requests or inputs containing large numbers of percent-encoded sequences (e.g., many '%ab' tokens). You can use network monitoring tools or logs to filter such inputs.

Example commands to detect suspicious inputs might include:

• Using grep to find inputs with many percent signs in logs: grep -E '%[0-9a-fA-F]{2}' access.log | awk '{print $0, gsub(/%[0-9a-fA-F]{2}/,"&")}' | sort -nrk2 | head
• Using top or htop to monitor CPU usage spikes that correlate with application activity.
• Using strace or similar tools to trace system calls of the affected process during suspected high CPU usage.

Since the vulnerability is triggered by inputs with many percent-encoded tokens, automated scripts can be written to send crafted payloads with increasing numbers of '%ab' tokens to test if the system exhibits performance degradation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the decode-uri-component library to a version that includes the fix, which rewrites the decoder as a single-pass UTF-8 scanner improving performance and security.

If upgrading immediately is not possible, consider implementing input validation or rate limiting to block or throttle requests containing excessive percent-encoded sequences that could trigger the denial of service.

Additionally, monitor system CPU usage and application responsiveness to detect potential exploitation attempts early.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0