CVE-2021-43306
Denial of Service vulnerability in jquery-validation (npm)
What is CVE-2021-43306 About?
An exponential Regular Expression Denial of Service (ReDoS) vulnerability exists in the jquery-validation npm package. If an attacker can supply arbitrary input to the `url2` method, they can trigger prolonged processing times. This can lead to a denial of service, and exploitation is relatively straightforward if input control is gained.
Affected Software
- jquery-validation
- <1.19.4
- jQuery.Validation
- <1.19.4
Technical Details
The vulnerability is an exponential Regular Expression Denial of Service (ReDoS) within the jquery-validation npm package. It specifically affects the url2 method. When an attacker is able to provide arbitrary, specially crafted input to this method, the regular expression used internally to validate URLs becomes highly inefficient. This inefficiency causes the regex engine to backtrack excessively, leading to a significant increase in processing time exponentially proportional to the length of the input. This prolonged processing consumes CPU resources, rendering the application unresponsive and ultimately causing a denial of service.
What is the Impact of CVE-2021-43306?
Successful exploitation may allow attackers to cause a denial of service by triggering excessive CPU consumption, making the application unresponsive.
What is the Exploitability of CVE-2021-43306?
Exploitation requires an attacker to supply arbitrary input to the url2 method of the jquery-validation package. The complexity level is low, as the primary prerequisite is user-controlled input to this specific function. No authentication or elevated privileges are typically required, as client-side validation functions often process unauthenticated user input. This is generally a remote vulnerability, as the input would originate from a user's browser. Special conditions involve the application utilizing the vulnerable url2 method directly or indirectly with attacker-controlled data. Risk factors increase significantly if user-supplied data (e.g., in forms) is passed to this method without proper sanitization or length limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43306?
About the Fix from Resolved Security
The patch replaces an overly-permissive URL validation regex with one that explicitly disallows private and local IP address ranges, ensuring only public hosts are accepted. This prevents SSRF (Server-Side Request Forgery) vulnerabilities, addressing CVE-2021-43306 by blocking attackers from submitting URLs pointing to internal network resources.
Available Upgrade Options
- jquery-validation
- <1.19.4 → Upgrade to 1.19.4
- jQuery.Validation
- <1.19.4 → Upgrade to 1.19.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-j9m2-h2pv-wvph
- https://github.com/jquery-validation/jquery-validation/pull/2428
- https://nvd.nist.gov/vuln/detail/CVE-2021-43306
- https://research.jfrog.com/vulnerabilities/jquery-validation-redos-xray-211348
- https://github.com/jquery-validation/jquery-validation/commit/69cb17ed774b427f7e2ffcdf197968231725c30e
- https://github.com/jquery-validation/jquery-validation
- https://research.jfrog.com/vulnerabilities/jquery-validation-redos-xray-211348/
What are Similar Vulnerabilities to CVE-2021-43306?
Similar Vulnerabilities: CVE-2019-10747 , CVE-2020-7788 , CVE-2021-23425 , CVE-2022-24706 , CVE-2020-28282
