Headline
GHSA-xrx9-gj26-5wx9: v8n vulnerable to Inefficient Regular Expression Complexity
Impact
Inefficient regular expression complexity of lowercase() and uppercase() regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeat(i) + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase(). The same issue happens with uppercase().
Patches
v1.5.1
References
huntr.dev report Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking
For more information
If you have any questions or comments about this advisory:
- Open an issue in v8n issues list
- Email us at [email protected]
v8n vulnerable to Inefficient Regular Expression Complexity
High severity GitHub Reviewed Published Oct 7, 2022 in imbrn/v8n • Updated Oct 7, 2022
Related news
v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.