Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-9506

ReDoS Vulnerability
Affects
Vue
>=2.0.0 <3.0.0
in
Vue 2
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview

Vue is an HTML, CSS, and JS framework for developing web applications with fine-grained reactivity.

A Regular expression Denial of Service (ReDoS) vulnerability (CVE-2024-9506) has been identified within the Vue 2 compiler. 

Per OWASP: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.

Details

Module Info

Vulnerability Info 

This Low-severity vulnerability is found in the html-parser.ts file within multiple Vue packages, namely:

  • compiler-sfc
  • server-renderer
  • template-compiler
  • vue-template-compiler
  • vue-server-renderer

Vue’s parseHTML() function in html-parser.ts is susceptible to a ReDoS attack when: 

  1. The template string contains a <script>, <style>, or <textarea> without a matching closing tag 

Within the parseHTML() function there is a regular expression (regex) to check for proper closing tags for the three tags listed above. However, due to an improperly written regex, when you pass in something like <script>some very very long text</not-script> it will trigger a ReDoS.

Steps To Reproduce

  • Within Vue 2 client-side application code, create a new Vue instance with a template string that includes a <script> node tag that has a different closing tag (in this case </textarea>).
new Vue({
  el: '#app',
  template: `
    <div>
      Hello, world!
      <script>${'<'.repeat(1000000)}</textarea>
    </div>
  `,
});

  • Set up an index.html file that loads the above JavaScript and then mount the newly created Vue instance with mount().
<!DOCTYPE html>
<html>
  <head>
    <title>My first Vue app</title>
  </head>
  <body>
    <div id="app">
      Loading...
    </div>
  </body>
</html>

  • In a browser, visit your Vue application
http://localhost:3000

  • In the browser, observe how the ReDoS vulnerability is able to increase the amount of time it takes for the page to parse the template and mount your Vue application. This demonstrates the ReDoS vulnerability.

Proof Of Concept

A full reproduction with code similar to the above can be found here:
Vue 2 HTML Tag Mismatch ReDoS

Credits

  • K (finder)

Mitigation

Vue 2 has reached End-of-Life and will not receive any updates to address this issue.

Users of the affected components should apply one of the following mitigations:

  • Migrate to a newer version of Vue.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2024-6783
CVE-2024-9506
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-9506
PROJECT Affected
Vue
Versions Affected
>=2.0.0 <3.0.0
Published date
October 14, 2024
≈ Fix date
July 25, 2024
Fixed in
Vue 2 NES
Severity
Low
Category
ReDoS Vulnerability