Incorrect Regular Expression in validator.js

#VU68281 Incorrect Regular Expression in validator.js

Published: 2022-10-12

Vulnerability identifier: #VU68281

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3765

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
validator.js
Web applications / JS libraries

Vendor: validatorjs

Description

The vulnerability allows a remote attacker to perform a regular expression denial of service (ReDoS) attack.

The vulnerability exists due to improper input validation when handling user-supplied input. A remote attacker can pass specially crafted data to the application and perform a regular expression denial of service (ReDoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

validator.js: 0.5.0 - 13.6.1

Fixed software versions

CPE

cpe:2.3:a:validatorjs:validator.js:13.6.1:*:*:*:*:*:*:*

External links
http://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9
http://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM QRadar User Behavior Analytics

Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.13

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Incorrect regular expression in IBM QRadar Assistant

Multiple vulnerabilities in Netcool Operations Insight

Multiple vulnerabilities in IBM QRadar Pulse for QRadar SIEM

Multiple vulnerabilities in Juniper Networks Contrail Networking

Regular expression denial of service in validator.js