Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-khpz-njyn-5qd1 |
|---|
| Summary | Regular Expression Denial of Service in npm-user-validate
`npm-user-validate` before version `1.0.1` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with `@` characters.
### Impact
The issue affects the `email` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.
### Patches
The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.
### Workarounds
Restrict the character length to a reasonable degree before passing a value to `.emal()`; Also, consider doing a more rigorous sanitizing/validation beforehand. |
|---|
| Aliases |
| 0 |
| alias |
GHSA-xgh6-85xh-479p |
|
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 0.1 - 3 |
|---|
| Exploitability | 0.5 |
|---|
| Weighted_severity | 2.7 |
|---|
| Risk_score | 1.4 |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-khpz-njyn-5qd1 |
|---|