CVE-2020-26308
Regular Expression Denial of Service vulnerability in validate.js
What is CVE-2020-26308 About?
Validate.js versions 0.13.1 and prior contain regular expressions vulnerable to Regular Expression Denial of Service (ReDoS). An attacker can craft malicious input that forces the regex engine into excessive computation, causing a denial of service. This is a common and relatively easy-to-exploit vulnerability if the input path is accessible.
Affected Software
Technical Details
The Validate.js library, in versions 0.13.1 and earlier, incorporates one or more regular expressions that are susceptible to catastrophic backtracking. When these regexes are applied to specially crafted, malicious input strings, the regex engine attempts an exponential number of matching permutations. This leads to an excessive consumption of CPU resources, making the application unresponsive and inducing a Denial of Service condition. The attack vector involves supplying input to any validation function that internally uses these vulnerable regular expressions, with the input string designed to trigger the worst-case performance scenario of the regex. The vulnerability arises from how the regex patterns are constructed, containing overlapping quantifiers or alternation groups that allow for numerous backtracking possibilities on certain inputs.
What is the Impact of CVE-2020-26308?
Successful exploitation may allow attackers to degrade system performance or cause the application to become unresponsive, leading to denial of service for legitimate users.
What is the Exploitability of CVE-2020-26308?
Exploitation generally involves providing a specially crafted, malicious input string to any validation function within the 'Validate.js' library that utilizes the vulnerable regular expressions. Complexity is low, as it primarily involves identifying the specific input fields validated by the library. Authentication requirements depend on whether the validation logic is applied to authenticated or unauthenticated user input, but often, ReDoS can occur pre-authentication. Privilege requirements are minimal, as it exploits the regular expression engine, not system privileges. This is typically a remote exploit if the validated input comes from network requests. The primary risk factor increasing exploitation likelihood is the direct exposure of user-controlled input to validation routines that use the vulnerable regexes.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26308?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://securitylab.github.com/advisories/GHSL-2020-302-redos-validate.js/
- https://github.com/ansman/validate.js/issues/342
- https://securitylab.github.com/advisories/GHSL-2020-302-redos-validate.js
- https://github.com/ansman/validate.js/issues/342
- https://github.com/ansman/validate.js
- https://nvd.nist.gov/vuln/detail/CVE-2020-26308
- https://osv.dev/vulnerability/GHSA-rv73-9c8w-jp4c
What are Similar Vulnerabilities to CVE-2020-26308?
Similar Vulnerabilities: CVE-2020-7661 , CVE-2020-28500 , CVE-2019-10756 , CVE-2018-16460 , CVE-2017-16016
