✍️ Description

If we want to use Regex in our match or search or replace or … functions, we must be sanitize this function's inputs. if an attacker capable to inject any Regex or abuse the exponential Regexes that used in our codes, then the ReDoS vulnerability appear and according to "freezing the web a study of ReDoS vulnerabilities in JavaScript-based web servers" Paper if the web server be JavaScript-based and also be Node.js, this probability exists that one user can do DoS attack that affect on response time of all users from server as Node.js has a single-thread functionality.

I found this regex for matching with correct email that used when new users want to registering to site:

/^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,10})+$/

Obviously you should not use multiple * or + after each other especially on of them in a group and the group also can be repeated like this part \w+)*.

first, I apologize to test a DoS vulnerability in your main website at erxes.io.

second after two or three time that sending following payload to server, the server going down for 30 second approximately [1].

fddfadsfasdflkfjasdkfsdfadfadfadjlfsad@mail.c

again, I apologize to you.

💥 Impact

This vulnerability is capable of make high damage on server.

[1] https://imgur.com/9mQyNBX