Regular Expression Denial of Service (ReDoS) in jsx-slack

jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `<blockquote>` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters. Users are advised to upgrade as soon as possible.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

未加控制的资源消耗(资源穷尽)

jsx-slack 安全漏洞

jsx-slack是从JSX为Slack 块套件表面构建 JSON 对象。 jsx-slack 存在安全漏洞，该漏洞源于软件针对正则表达式缺少有效的处理和过滤，用户容易受到正则表达式拒绝服务(ReDoS)攻击。如果攻击者可利用该漏洞可以将大量JSX元素放入标记中，用于转义字符的内部正则表达式可能会消耗过多的计算资源。

N/A

N/A