CVE-2021-3765
Inefficient Regular Expression Complexity vulnerability in validator (npm)
What is CVE-2021-3765 About?
Validator.js versions prior to 13.7.0 are vulnerable to Inefficient Regular Expression Complexity (ReDoS). This vulnerability can lead to a denial of service if an attacker provides specially crafted input that causes exponential processing time for regular expressions. Exploitation is straightforward if an attacker can control the input to the validator.js library.
Affected Software
Technical Details
The vulnerability in validator.js (prior to 13.7.0) is an Inefficient Regular Expression Complexity, also known as ReDoS. Specific regular expressions within the library are susceptible to exponential backtracking when processing particular malicious input strings. An attacker can craft an input string that, when passed to a vulnerable validation function, causes the regular expression engine to consume excessive CPU resources and time. This prolonged processing time can block the event loop in Node.js applications or significantly degrade performance in browser-based applications, leading to a denial of service (DoS) for users or the entire application.
What is the Impact of CVE-2021-3765?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive CPU resources, making the application unresponsive.
What is the Exploitability of CVE-2021-3765?
Exploitation involves supplying a specially crafted input string to a validation function in the vulnerable validator.js library. The complexity is low if the attacker can control input passed to any of the vulnerable regular expressions. No authentication or special privileges are required, as validation typically occurs on unauthenticated user input. This is generally a remote vulnerability, as input would come from a user over a network. Special conditions include the application using a vulnerable version of validator.js and passing attacker-controlled data to its validation methods. Risk factors increase significantly if user-supplied data, such as email addresses, URLs, or other formatted strings, are validated with the affected library without proper input length limits or pre-filtering.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-3765?
About the Fix from Resolved Security
The patch removes nested quantifiers and unnecessary capturing groups from regular expressions in isSlug.js and rtrim.js, preventing catastrophic backtracking that caused regular expression denial of service (ReDoS). By simplifying these regex patterns, the patch ensures that inputs (including long or crafted malicious ones) are handled efficiently, addressing the underlying vulnerability described in CVE-2021-3765.
Available Upgrade Options
- validator
- <13.7.0 → Upgrade to 13.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-qgmg-gppg-76g5
- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9
- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1
- https://github.com/validatorjs/validator.js
- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9
- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1
- https://nvd.nist.gov/vuln/detail/CVE-2021-3765
What are Similar Vulnerabilities to CVE-2021-3765?
Similar Vulnerabilities: CVE-2021-43306 , CVE-2019-10747 , CVE-2020-7788 , CVE-2021-23425 , CVE-2020-28282
