CVE-2022-37620/ ReDoS found in htmlminifier.js

[secdevlpr26]

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js.
The ReDoS vulnerability can be mitigated with several best practices described here: [https://snyk.io/blog/redos-and-catastrophic-backtracking/]

[michaeljauk]

Is anyone willing to work on this?

[blv-raulcatalan]

Any update on this?

[rquadling]

One of the lines referred to be the CVE has the following regex \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+)?x)$

Would changing it to \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+|)x)$ be enough?

\s+([1-9][0-9]*w|[0-9]+(?=(\.[0-9]+|))\2x)$ is another way that should stop the backtracking (based this upon https://snyk.io/blog/redos-and-catastrophic-backtracking/.

[timbomckay]

I stumbled upon a fork of this maintained by terser: https://www.npmjs.com/package/html-minifier-terser

Probably the way to go.