From 143e93344e3050b93e15a43c62bfe77511f1b99d Mon Sep 17 00:00:00 2001
From: Mohitxroxx <mohitsinghroxx@gmail.com>
Date: Thu, 5 Mar 2026 00:24:49 +0530
Subject: [PATCH] fix: mitigate ReDoS in regex validation (CVE-2025-5891)

---
 lib/tools/Config.js | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/lib/tools/Config.js b/lib/tools/Config.js
index a3da91c4c..d6e495921 100644
--- a/lib/tools/Config.js
+++ b/lib/tools/Config.js
@@ -188,15 +188,26 @@ Config._valid = function(key, value, sch){
   }
 
   // Verify maximum / minimum of Number value.
-  if (type == '[object Number]') {
-    if (this._error(typeof sch.max != 'undefined' && value > sch.max, 'max', key, sch.max, value)) {
+  if (type === '[object String]' && sch.regex) {
+
+    // Preventing heavy RegExp from ReDoS attack.
+    if (value.length > 1024) {
+      this._errors.push(`"${key}" exceeds maximum allowed length`);
       return null;
     }
-    if (this._error(typeof sch.min != 'undefined' && value < sch.min, 'min', key, sch.min, value)) {
+
+    let regex;
+    try {
+      regex = sch._compiledRegex || (sch._compiledRegex = new RegExp(sch.regex));
+    } catch (err) {
+      this._errors.push(`Invalid regex for "${key}"`);
       return null;
     }
-  }
 
+    if (!regex.test(value)) {
+      return null;
+    }
+  }
   // If first type is Array, but current is String, try to split them.
   if(scht.length > 1 && type != scht[0] && type == '[object String]'){
     if(scht[0] == '[object Array]') {