Critical ReDoS Vulnerability in CLI Telemetry Regex Exposes Denial-of-Service Risk

A critical security flaw has been identified in the telemetry module of a widely used CLI tool, exposing it to a complete denial-of-service attack. The vulnerability resides in a regular expression designed to scrub base64-encoded data, which contains an unbounded quantifier that can be exploited to trigger catastrophic backtracking. This allows an attacker to hang the CLI process indefinitely, consuming 100% CPU and forcing users to kill the application.

The flaw is located in the `telemetry.ts` file at line 48, within the pattern `/[A-Za-z0-9+/]{40,}={0,2}\b/g`. The combination of the `{40,}` quantifier and a trailing word boundary creates an exponential-time worst-case scenario for the regex engine. An attacker who can inject content into error messages, API responses, filenames, or environment variables can craft a malicious string—such as a long sequence of 'A's followed by a non-word-boundary character—to trigger this condition and freeze the tool.

This ReDoS vulnerability presents a direct operational risk, blocking all CLI functions for the affected user and potentially disrupting automated workflows and CI/CD pipelines. The immediate recommendation is to replace the vulnerable pattern with a length-bounded alternative, such as `/[A-Za-z0-9+/]{40,100}={0,2}/g`, to mitigate the exponential backtracking. The finding underscores the persistent security risks hidden in seemingly innocuous data sanitization code, especially in tools with broad distribution and integration into developer environments.