🚧Redos vulnerability in Wordwrap

[raghunandhanvr]

Dear cal.com team,

I am writing to inform you of a vulnerability in the Wordwrap package (version 1.0.0) that is used by your website/service. This vulnerability can be exploited through a regular expression Denial of Service (ReDoS) attack, which can cause the package to enter an infinite loop, leading to a denial of service on the affected system.

The vulnerability affects all versions of the Wordwrap package up to and including version 1.0.0, and unfortunately, there is currently no known fix for the issue. I have included a proof-of-concept code snippet below that demonstrates the vulnerability in action:

for (let i = 0; i <= 10; i++) {
  const attack = "a" + "t".repeat(i * 10_00000);
  const start = performance.now();
  wrap( attack, { trim: true }, );
  console.log(`${attack.length} characters: ${performance.now() - start}ms`);
}

As you can see, this code snippet can cause the Wordwrap package to enter an infinite loop when provided with a specially crafted input string, resulting in a significant delay in processing time and potentially leading to a denial of service.

I urge you to take immediate action to address this vulnerability by either updating to a patched version of the Wordwrap package (if and when one becomes available), or by finding an alternative package that is not vulnerable to this issue.

Thank you for your attention to this matter. Please let me know if you require any additional information or assistance in addressing this vulnerability with respect to cal platform.

Reference: https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973

[pranjalg13]

@raghunandhanvr I didn't find any code usage with this dependency, let me know if you found one.
Thanks

[PeerRich]

@raghunandhanvr how would this be fixed?

[emrysal]

Thank you @raghunandhanvr - we're keeping an eye out on jonschlinkert/word-wrap#32 - our internal assessment is: Because this code is used only by eslint and this being a dev only package, there is no public facing code that will be affected by this vulnerability. Also as indicated by the optionator package - this vulnerability does not affect their code.

Therefore, no mitigation is needed as we are not affected by this vulnerability.

Also including the eslint assesment @ eslint/eslint#17117 (comment) for completeness.

This is a problem in a transitive dependency so it doesn't seem like there's anything we can do at this point. Also, according to gkz/optionator#44 (comment) this isn't a possible problem for eslint users because the dependency in question is only used with predefined option descriptions, not with user input.

Given the above, I'm closing this issue. If and when the problem is fixed in the dependencies, we could update eslint's package.json if that would help remove the warning.