PT-2020-6962 · Npm+4 · Npm-User-Validate+4

Yeting Li

·

Published

2020-10-16

·

Updated

2022-07-22

·

CVE-2020-7754

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions npm-user-validate versions prior to 1.0.1
Description The issue is related to a Regular Expression Denial of Service (REDos) in the npm-user-validate package. The regex used to validate user emails takes exponentially longer to process long input strings beginning with @ characters, potentially leading to a denial of service. The email function is affected, and if used to process arbitrary user input with no character limit, the application may be susceptible to denial of service.
Recommendations For versions prior to 1.0.1, update to version 1.0.1, which improves the regular expression used and enforces a 254 character limit. As a temporary workaround, consider restricting the character length to a reasonable degree before passing a value to the email() function. Also, consider doing a more rigorous sanitizing/validation beforehand.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2021:0548
ALSA-2021:0549
ALSA-2021:0551
BDU:2024-01510
CESA-2021_0548
CESA-2021_0549
CESA-2021_0551
CVE-2020-7754
GHSA-PW54-MH39-W3HC
GHSA-XGH6-85XH-479P
OESA-2022-1769
RHSA-2021:0421
RHSA-2021:0485
RHSA-2021:0521
RHSA-2021:0548
RHSA-2021:0549
RHSA-2021:0551
RHSA-2021_0548
RHSA-2021_0549
RHSA-2021_0551
RLSA-2021:0548
RLSA-2021:0549
RLSA-2021:0551
SNYK-JAVA-ORGWEBJARSNPM-1019353
SNYK-JS-NPMUSERVALIDATE-1019352

Affected Products

Almalinux
Centos
Red Hat
Rocky Linux
Npm-User-Validate