CVE-2022-31110: 
JavaScript vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability was discovered in RSSHub (CVE-2022-31110) affecting versions after 4671720f4c5e1aaaad8fcc1dce684b6546baf2ff and before 5c4177441417b44a6e45c3c63e9eac2504abeb5b. The vulnerability was discovered by Rongrong (@Rongronggg9) and disclosed on June 22, 2022 (GitHub Advisory).

The vulnerability is a Regular expression Denial of Service (ReDoS) caused by catastrophic backtracking in user-supplied regular expressions. The issue exists in the filter and filterout parameters which accept user-supplied regular expressions with unconditional trust, then call String.match() to perform regular expression matches. When specially crafted input is provided to these parameters, it can trigger abnormally high CPU usage (GitHub Issue).

When exploited, the vulnerability causes the RSSHub instance to become unresponsive to any request, with the node process continuously occupying a whole CPU core. This condition can persist for several hours, significantly impacting the performance of servers and RSSHub services (GitHub Advisory).

The vulnerability was patched in commit 5c4177441417b44a6e45c3c63e9eac2504abeb5b by replacing the standard RegExp implementation with RE2, a regular expression engine that guarantees linear time matching. Users are advised to update to this or later versions as soon as possible (GitHub Advisory).