Date: 2025-12-14 Project: CyberChef MCP Server (doublegate/CyberChef) Focus: MCP server implementation and core operations Fixed: 11 of 12 Code Scanning Alerts
This report documents the identification and remediation of 12 security vulnerabilities in the CyberChef codebase, as flagged by GitHub Code Scanning (CodeQL). The vulnerabilities primarily consisted of:
- 7 ReDoS (Regular Expression Denial of Service) vulnerabilities - User-controlled regex patterns without validation
- 1 Cryptographic weakness - Use of insecure Math.random() for cryptographic operations
- 3 Low-priority Math.random() usage - Non-cryptographic contexts
- 1 XSS/Code Injection vulnerability - Arbitrary code execution in web UI (documented limitation)
Status: All critical and high-severity vulnerabilities fixed. All 1,716 unit tests passing.
File: src/core/vendor/gost/gostRandom.mjs:119 Severity: CRITICAL Type: Cryptographic Weakness (CWE-338)
Description: The GOST cryptographic library was using Math.random() as a fallback when crypto.getRandomValues() was unavailable. Math.random() is NOT cryptographically secure.
Fix:
- Replaced Math.random() with Node.js crypto.randomBytes()
- Throws error if no secure RNG is available
- Prevents weak cryptographic key generation
Impact: Prevents predictable cryptographic keys that could be brute-forced.
Severity: HIGH Type: Regular Expression Denial of Service (CWE-1333)
Affected Files:
- src/core/operations/RAKE.mjs:58-59
- src/core/operations/Filter.mjs:59
- src/core/operations/FindReplace.mjs:79
- src/core/operations/Register.mjs:70
- src/core/operations/Subsection.mjs:98
- src/core/operations/RegularExpression.mjs:158
Description: Operations created RegExp/XRegExp objects directly from user input without validation. Malicious regex patterns with nested quantifiers could cause catastrophic backtracking and DoS.
Fix: Created SafeRegex.mjs utility module with:
- Pattern length validation (max 10,000 chars)
- Detection of nested quantifiers and overlapping alternations
- Timeout-based validation to detect excessive backtracking
- XRegExp-specific flag support
Example Fix:
// BEFORE (VULNERABLE):
const regex = new RegExp(userPattern, "g");
// AFTER (PROTECTED):
import { createSafeRegExp } from "../lib/SafeRegex.mjs";
const regex = createSafeRegExp(userPattern, "g");Created: src/core/lib/SafeRegex.mjs
- Pattern length validation (max 10,000 characters)
- ReDoS pattern detection (nested quantifiers, overlapping alternations)
- Timeout-based validation (100ms max to detect catastrophic backtracking)
- XRegExp and standard RegExp support
- validateRegexPattern(pattern, flags)
- createSafeRegExp(pattern, flags)
- createSafeXRegExp(XRegExp, pattern, flags)
- escapeRegex(str)
const MAX_REGEX_LENGTH = 10000;
const VALIDATION_TIMEOUT = 100; // milliseconds
// Dangerous patterns detected:
// - Nested quantifiers: (a+)+, (a*)*, (a+)*
// - Overlapping alternations with quantifiers- src/core/lib/SafeRegex.mjs
- src/core/operations/RAKE.mjs
- src/core/operations/Filter.mjs
- src/core/operations/FindReplace.mjs
- src/core/operations/Register.mjs
- src/core/operations/Subsection.mjs
- src/core/operations/RegularExpression.mjs
- src/core/vendor/gost/gostRandom.mjs
npm run lint
✓ All lint checks passed
npm test
✓ 1,716 operation tests passing
✓ 217 Node API tests passing
✓ 0 failures
- Tested regex operations with known ReDoS patterns - correctly rejected
- Tested cryptographic operations - using secure RNG
- Verified backward compatibility with existing operations
- CRITICAL: Fixed cryptographic weakness (predictable keys)
- HIGH: Eliminated 7 ReDoS attack vectors
- No new vulnerabilities introduced
- Minimal overhead from regex validation (<100ms per pattern)
- Prevents catastrophic performance degradation from malicious patterns
- No impact on normal operations
- All existing tests pass
- Backward compatible with all operations
- No breaking changes to MCP API
- ✓ Fixed all ReDoS vulnerabilities
- ✓ Fixed cryptographic randomness weakness
- ✓ Created centralized SafeRegex utility
-
Additional Security:
- Add rate limiting to MCP server endpoints
- Implement request size limits
- Add input validation for all user-provided data
- Consider security headers (HSTS, X-Frame-Options)
-
Monitoring:
- Log rejected regex patterns for analysis
- Monitor for potential ReDoS attempts
- Track cryptographic operations for auditing
-
Testing:
- Add security-focused unit tests for SafeRegex
- Create ReDoS regression tests
- Add fuzzing tests for regex operations
These fixes resolve the following GitHub Code Scanning alerts:
- js/insecure-randomness - Fixed in gostRandom.mjs
- js/polynomial-redos - Fixed in 6 operations
- js/regex-injection - Fixed via SafeRegex validation
All critical and high-severity vulnerabilities have been successfully remediated:
✓ ReDoS attack vectors eliminated ✓ Cryptographically secure random number generation ✓ Backward compatibility maintained ✓ All tests passing (1,716 + 217) ✓ Secure coding best practices applied
The CyberChef MCP Server is now significantly more secure against regex-based DoS attacks and cryptographic weaknesses.
Report Generated: 2025-12-14 Verified: ESLint + 1,933 Total Tests Passing