GHSA-xgh6-85xh-479p

Suggest an improvement
Source
https://github.com/advisories/GHSA-xgh6-85xh-479p
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-xgh6-85xh-479p/GHSA-xgh6-85xh-479p.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xgh6-85xh-479p
Aliases
Published
2020-10-16T18:56:26Z
Modified
2023-11-01T04:53:37.424804Z
Summary
Regular Expression Denial of Service in npm-user-validate
Details

npm-user-validate before version 1.0.1 is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.

Impact

The issue affects the email function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.

Patches

The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.

Workarounds

Restrict the character length to a reasonable degree before passing a value to .emal(); Also, consider doing a more rigorous sanitizing/validation beforehand.

References

Affected packages

npm / npm-user-validate

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1

Database specific

{
    "last_known_affected_version_range": "<= 1.0.0"
}