CVE-2023-27704 Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS)

fix at Everything 1.5 alpha

[Suggested description] Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).

[Additional Information] I put the detailed reproduction process in this link: https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing

[VulnerabilityType Other] Regular expression Denial of Service

[Vendor of Product] https://www.voidtools.com/

[Affected Product Code Base] Everything - lower than 1.4.1.1022 (x64)

[Affected Component] Everything installed version lower than 1.4.1.1022 (x64)

[Attack Type] Local

[Impact Denial of Service] true

[Attack Vectors] I discovered a ReDos vulnerability in everything Version 1.4.1.1015 (x64)

The ReDos vulnerability trigger is roughly like this,"^([\w]+)+$"

Recurrence process: 1.Enable the regex function of everything

2.Insert regex statements that can lead to ReDos in the search box

Then you can see in the task manager that the CPU usage is very high can reach more than 90%, and everything is not responding

I put the detailed reproduction process in this link: https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing

[Reference] https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing https://www.voidtools.com/en-us/downloads/

[Discoverer] happy0717