GHSA-xgh6-85xh-479p

Source

https://github.com/advisories/GHSA-xgh6-85xh-479p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-xgh6-85xh-479p/GHSA-xgh6-85xh-479p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xgh6-85xh-479p

Aliases

CVE-2020-7754
GHSA-pw54-mh39-w3hc
SNYK-JAVA-ORGWEBJARSNPM-1019353
SNYK-JS-NPMUSERVALIDATE-1019352

Published

2020-10-16T18:56:26Z

Modified

2023-11-08T04:04:08.622642Z

Summary

Regular Expression Denial of Service in npm-user-validate

Details

npm-user-validate before version 1.0.1 is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Impact

The issue affects the email function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.

Patches

The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.

Workarounds

Restrict the character length to a reasonable degree before passing a value to .emal(); Also, consider doing a more rigorous sanitizing/validation beforehand.

References

https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p

Affected packages

npm / npm-user-validate

Package

Name: npm-user-validate; View open source insights on deps.dev
Purl: pkg:npm/npm-user-validate

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.1

Database specific

{
    "last_known_affected_version_range": "<= 1.0.0"
}