tarteaucitron.js is a widely used JavaScript library designed to manage user consent for third-party services. One of its integrations supports embedding content from Issuu, using the issuu_id parameter to construct embed URLs. This parameter was previously validated using permissive regular expressions, exposing the application to a potential ReDoS attack.
The vulnerability originated from the following code:
Codeif (issuu_id.match(/\d+\/\d+/)) {
issuu_embed = '#' + issuu_id;
} else if (issuu_id.match(/d=(.*)&u=(.*)/)) {
issuu_embed = '?' + issuu_id;
}
The issues with this implementation are:
An attacker could supply a maliciously crafted issuu_id value containing long repetitive patterns designed to trigger backtracking, for example:
Coded=aaaaaaaaaaaaaaaaaaaaaaaaaaaaa...&u=bbbbbbbbbbbbbbbbbbbbbbbbbbbb...
When processed by the greedy regular expression /d=(.)&u=(.)/, this input can significantly degrade performance, especially when repeatedly evaluated, potentially resulting in a denial of service.
The vulnerability could be exploited remotely by any actor capable of influencing the issuu_id parameter, making it a realistic threat in exposed environments.
The issue was resolved by simplifying the logic and enforcing strict input validation, as shown in the following patch:
Codeif (issuu_id.match(/^\d+\/\d+$/)) {
issuu_embed = '#' + issuu_id;
} else {
issuu_embed = '?' + issuu_id;
}
This fix:
Additionally, all code related to the legacy Alexa Rank service was removed. This service has been discontinued for several years, and the Alexa domain is now exclusively associated with Amazon’s voice assistant. (commit f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52)
This document is provided for informational and security awareness purposes only. The information is shared responsibly to help improve software security and should not be used for malicious activities.
Yassine Damiri