Skip to content

[Security] Backend: ReDoS vulnerability in regex pattern validation #521

New issue
New issue
Open
#522
Open
[Security] Backend: ReDoS vulnerability in regex pattern validation#521
#522
Assignees
kami922
Labels
bugSomething isn't working
@kami922

Description

@kami922
kami922
opened on Jan 3, 2026

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the _check_username_list_regex() function in buffalogs/impossible_travel/modules/alert_filter.py.

The function compiles user-provided regex patterns without validation, allowing malicious patterns to cause CPU exhaustion and application unavailability.

Vulnerability Details

Severity

High - Can lead to Denial of Service

Affected Component

  • File: buffalogs/impossible_travel/modules/alert_filter.py
  • Function: _check_username_list_regex() (lines 106-117)
  • Attack Vector: Config.ignored_users, Config.enabled_users, Config.vip_users fields

Current Vulnerable Code

def _check_username_list_regex(word: str, values_list: list) -> bool:
    for item in values_list:
        if word == item:
            return True
        try:
            regexp = re.compile(item)  # ⚠️ NO VALIDATION
            if regexp.search(word):
                return True
        except re.error:
            continue
    return False
Proof of Concept
An attacker with admin access could add a malicious regex pattern:

# Malicious pattern
Config.ignored_users = [r"(a+)+"]

# Trigger with crafted input
username = "a" * 50 + "X"

# Result: CPU hangs for minutes/hours due to catastrophic backtracking
Dangerous patterns that can cause ReDoS:
(a+)+ - Nested quantifiers
(a*)* - Nested star operators
(a|ab)* - Overlapping alternation
(\w+)+b - Exponential backtracking

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions