CVE-2021-41115: 
NixOS vulnerability analysis and mitigation

CVE-2021-41115 affects Zulip, an open source team chat server, discovered in October 2021. The vulnerability allows malicious organization administrators to perform denial-of-service attacks through regular expression complexity attacks in the linkifier feature. The issue affects all versions of Zulip prior to version 4.7 (GitHub Advisory, NVD).

The vulnerability exists in Zulip's linkifier feature, which allows organization administrators to configure automatic link creation using arbitrary regular expressions. The system attempts to validate user-provided regexes to verify they are safe from ReDoS (Regular Expression Denial of Service), but this validation was both insufficient and itself vulnerable to ReDoS attacks. The vulnerability could be exploited by configuring a quadratic-time regular expression in a linkifier and sending messages that triggered it. The issue has a CVSS v3.1 base score of 6.5 (MEDIUM) according to NVD, while GitHub rates it at 4.3 (MEDIUM) (NVD, Security Lab).

When exploited, this vulnerability could lead to denial-of-service conditions on the Zulip server. The attack vector is particularly concerning as it could be executed by organization administrators, who could configure malicious regular expressions that cause server performance degradation when processing messages (GitHub Advisory).

The vulnerability was patched in Zulip version 4.7. Users should upgrade to this version or later to mitigate the issue. The fix involves switching user-provided linkifier patterns to be matched using the re2 library, which guarantees constant-time regular expression matching. While this somewhat limits the possible features of regular expressions (such as look-ahead, look-behind, and back-references), these features were never advertised as working in linkifiers (GitHub Advisory).