CVE-2020-7754
Regular Expression Denial of Service (ReDoS) vulnerability in npm-user-validate (npm)
What is CVE-2020-7754 About?
This vulnerability affects the `npm-user-validate` package before 1.0.1, stemming from a Regular Expression Denial of Service (ReDoS) flaw. The regex used to validate user emails exhibits exponentially longer processing times for certain long input strings starting with '@' characters. This can lead to a denial of service by consuming excessive CPU resources. Exploitation is possible with a single malicious input.
Affected Software
Technical Details
The npm-user-validate package incorporates a regular expression designed for validating user email addresses. The vulnerability lies in the specific pattern used, which is prone to catastrophic backtracking when processing particular malicious input. Specifically, if a very long string beginning with the '@' character (e.g., '@' + 'a'.repeat(N)) is fed into the validation function, the regex engine attempts an exponentially increasing number of matching paths. This combinatorial explosion in processing paths leads to an excessive consumption of CPU resources, causing the application to become unresponsive or crash. The inefficient nature of the regex's backtracking mechanism for certain input patterns triggers this Regular Expression Denial of Service (ReDoS).
What is the Impact of CVE-2020-7754?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU resources, making the application unresponsive or crashing the server.
What is the Exploitability of CVE-2020-7754?
Exploitation is straightforward, requiring an attacker to send a specially crafted long string that starts with an '@' character to an application endpoint that uses npm-user-validate for email validation. No authentication is typically required if the email validation occurs on a publicly accessible signup or profile update form, making this a remote attack. The primary prerequisite is that the application uses the vulnerable npm-user-validate package. The risk is high as a single, unauthenticated, malicious input can lead to a denial of service, impacting the availability of the service.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7754?
About the Fix from Resolved Security
The patch enforces a maximum email length of 254 characters, rejecting any input that exceeds this limit. This fixes CVE-2020-7754 by preventing an email validation bypass and potential denial of service through excessively long email addresses, aligning with standard email length restrictions.
Available Upgrade Options
- npm-user-validate
- <1.0.1 → Upgrade to 1.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352
- https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p
- https://nvd.nist.gov/vuln/detail/CVE-2020-7754
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353
- https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e
- https://osv.dev/vulnerability/GHSA-pw54-mh39-w3hc
- https://snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353
- https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p
- https://github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204e
What are Similar Vulnerabilities to CVE-2020-7754?
Similar Vulnerabilities: CVE-2020-26311 , CVE-2022-24434 , CVE-2022-25925 , CVE-2023-26136 , CVE-2021-43809
