CVE-2016-2537
Regular Expression Denial of Service (ReDoS) vulnerability in is-my-json-valid (npm)
What is CVE-2016-2537 About?
Versions of `is-my-json-valid` before 2.12.4 are vulnerable to Regular Expression Denial of Service (ReDoS) through its email validation function. This allows attackers to cause a denial of service by providing specially crafted input. Exploitation is relatively easy if an application uses the vulnerable email validation with untrusted input.
Affected Software
Technical Details
The vulnerability in is-my-json-valid versions prior to 2.12.4 resides in the regular expression used for email validation. This specific regex is prone to catastrophic backtracking when processing certain malformed input strings. When an attacker provides a specially crafted email string (e.g., one with many repetitions of specific characters or patterns that cause the regex engine to explore an exponentially increasing number of paths), the regex engine consumes excessive CPU resources and time to evaluate the input. This prolonged processing effectively locks up the application, preventing it from handling other requests, thereby leading to a denial of service. The attack vector is the submission of such a malicious string wherever email validation is performed by the library.
What is the Impact of CVE-2016-2537?
Successful exploitation may allow attackers to cause the affected service or application to become unresponsive or consume excessive resources, leading to a denial of service for legitimate users.
What is the Exploitability of CVE-2016-2537?
Exploitation requires crafting a specific string that triggers the catastrophic backtracking in the email validation regex. This is of moderate complexity. No authentication or specific privileges are required, as the attack relies on feeding untrusted input to the vulnerable validation function. This is typically a remote exploitation scenario if the application processes external user input containing email addresses. The main constraint is identifying an input field where the is-my-json-valid library's email validation is used. Risk factors that increase exploitation likelihood include applications that perform email validation on untrusted input without any rate limiting or input size restrictions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-2537?
Available Upgrade Options
- is-my-json-valid
- <2.12.4 → Upgrade to 2.12.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/mafintosh/is-my-json-valid
- https://github.com/mafintosh/is-my-json-valid/commit/b3051b277f7caa08cd2edc6f74f50aeda65d2976
- https://hackerone.com/reports/317548
- https://github.com/mafintosh/is-my-json-valid/pull/159
- https://nvd.nist.gov/vuln/detail/CVE-2016-2537
- https://github.com/mafintosh/is-my-json-valid/commit/eca4beb21e61877d76fdf6bea771f72f39544d9b
- https://github.com/github/advisory-database/pull/4850
- https://www.npmjs.com/advisories/76
- https://github.com/advisories/GHSA-f522-ffg8-j8r6
- https://osv.dev/vulnerability/GHSA-f522-ffg8-j8r6
What are Similar Vulnerabilities to CVE-2016-2537?
Similar Vulnerabilities: CVE-2023-38034 , CVE-2023-32001 , CVE-2021-3807 , CVE-2023-26136 , CVE-2023-28102
