How ZeroPath Works
Back to Blog

ReDoS in Chai’s get-func-name: CVE-2023-43646 Technical Analysis & PoC

A critical ReDoS vulnerability (CVE-2023-43646) in Chai’s get-func-name module exposes Node.js and browser apps to denial of service via inefficient regex parsing. This post delivers a technical breakdown, PoC, patch details, and detection strategies for security teams.
CVE Analysis

8 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-17

ReDoS in Chai’s get-func-name: CVE-2023-43646 Technical Analysis & PoC

ReDoS in Chai’s get-func-name: CVE-2023-43646 Technical Analysis & PoC

Introduction

A single line of code can bring down your Node.js server or browser-based app if it relies on the wrong regex. That’s the reality for thousands of projects using Chai’s get-func-name module, which was hit by a high-severity Regular Expression Denial of Service (ReDoS) vulnerability—CVE-2023-43646. With over 1.5 million weekly downloads, Chai.js and its utilities like get-func-name are foundational to JavaScript testing and assertion logic across the industry. When a core module like this is vulnerable, the ripple effects can be felt in CI pipelines, production APIs, and browser-side logic everywhere.

Technical Information

The heart of CVE-2023-43646 is an inefficient regular expression in get-func-name (all versions prior to 2.0.1). This module is designed to extract function names from source code strings in both Node.js and browser environments. The vulnerable regex is:

const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*/)]+\*\/\s*)*([^\s(/]+)/;

This pattern is susceptible to catastrophic backtracking, especially with inputs that contain imbalanced parentheses or long, repetitive sequences. The regex engine, when faced with such input, can enter a state where it tries exponentially many ways to match the pattern—leading to excessive CPU consumption and, ultimately, denial of service.

The root cause is the nested quantifiers and lack of input length checks. If an attacker can supply input to any code path that calls get-func-name, they can trigger this ReDoS condition remotely. This is particularly dangerous in web servers, API gateways, or browser-based tools that parse user-supplied code or function descriptors.

Proof of Concept

The following proof-of-concept demonstrates how the vulnerability can be exploited:

const protocolre = /\sfunction(?:\s|\s*\/\*[^(?:*\/)]+\*\/\s*)*([^\(\/]+)/;

const startTime = Date.now();
const maliciousInput = '\t'.repeat(54773) + '\t/function/i';

protocolre.test(maliciousInput);

const endTime = Date.now();

console.log("Process time:", endTime - startTime, "ms");

Here, the crafted input causes the regex engine to backtrack extensively, resulting in significant processing delays and high CPU usage. This can be used to effectively DoS any service relying on the vulnerable function. (GHSA-4q6p-r6v2-jvc5)

Patch Information

To remediate CVE-2023-43646, the maintainers of get-func-name implemented two key changes:

  1. Limiting Function Source Length: The patch introduces a cap on the length of function source code that the regex will process, preventing excessive backtracking on very large inputs.
  2. Regex Optimization: The regular expression itself was refined to reduce complexity and mitigate the risk of ReDoS.

These changes are included in commit f934b228b, and are available in version 2.0.1 and later. All users should upgrade immediately. (GHSA-4q6p-r6v2-jvc5)

Detection Methods

Detection of this vulnerability can be approached in several ways (GHSA-4q6p-r6v2-jvc5):

  • Static Code Analysis: Scan your codebase for the vulnerable regex pattern:

    const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*\/)]+\*\/\s*)*([^\s(/]+)/;

    Tools that analyze regex complexity can flag this as a potential ReDoS vector.

  • Dynamic Analysis and Fuzz Testing: Supply imbalanced or repetitive input to any code paths using get-func-name and monitor for excessive CPU usage or delays.

  • Performance Monitoring: Set up alerts for abnormal CPU or memory usage, which may indicate a ReDoS attack in progress.

  • Regex Validation: Regularly review and validate regex patterns in your codebase for complexity and performance.

Affected Systems and Versions

  • Product: get-func-name (npm package)
  • Vendor: chaijs
  • Affected Versions: All versions prior to 2.0.1
  • Safe Version: 2.0.1 and later
  • Environments: Node.js and browser applications that use get-func-name directly or as a transitive dependency (e.g., via Chai.js)

Vendor Security History

Chai.js and its associated modules are widely used in the JavaScript testing ecosystem. The vendor has a strong track record for prompt vulnerability response, with this issue patched within a day of disclosure. Previous vulnerabilities have been addressed quickly, and the team maintains clear advisories and transparent communication. This incident underscores the importance of rigorous regex review in core utilities.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo