CVE-2022-31147
Denial of Service vulnerability in jquery-validation (npm)
What is CVE-2022-31147 About?
This vulnerability is an incomplete fix for CVE-2021-43306, affecting the jquery-validation npm package. It can lead to an exponential Regular Expression Denial of Service (ReDoS) if an attacker provides arbitrary input to the `url2` method. Exploitation is relatively easy as it only requires manipulating input data.
Affected Software
Technical Details
This vulnerability is an incomplete fix of a previous ReDoS issue (CVE-2021-43306). It specifically targets the jquery-validation npm package. The issue lies within the url2 method, which utilizes a regular expression that is vulnerable to exponential ReDoS. An attacker can craft a specially malformed input string containing specific repeating characters or patterns. When this malicious input is passed to the url2 method for validation, the regular expression engine enters a catastrophic backtracking state, consuming excessive CPU resources and leading to a denial of service for the application.
What is the Impact of CVE-2022-31147?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application unresponsive or unavailable to legitimate users.
What is the Exploitability of CVE-2022-31147?
Exploitation of this ReDoS vulnerability is generally low in complexity. The primary prerequisite is that the application uses the vulnerable jquery-validation npm package and allows user-controlled input to be passed to its url2 method. No specific authentication or privilege is required, as the attack relies purely on input validation. The attack is typically remote, as it involves sending maliciously crafted data via web forms or API calls. The critical risk factor is the application's exposure of the url2 method to untrusted user input, which significantly increases the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| amhar-hckr | Link | CVE-2022-31147 is a path traversal flaw in matthiasmullie/minify. This guide helps security teams test for arbitrary file read on Linux and Windows using Python and curl. It covers automated... |
What are the Available Fixes for CVE-2022-31147?
About the Fix from Resolved Security
This patch tightens the regular expression used for URL validation to more accurately parse and validate the userinfo section of URLs, disallowing unsafe and invalid characters. By doing so, it addresses the flaw that allowed certain malicious or malformed URLs to bypass validation, thereby fixing CVE-2022-31147 which involved incomplete URL input validation leading to potential security issues.
Available Upgrade Options
- jquery-validation
- <1.19.5 → Upgrade to 1.19.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd
- https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3
- https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5
- https://nvd.nist.gov/vuln/detail/CVE-2022-31147
- https://osv.dev/vulnerability/GHSA-ffmh-x56j-9rc3
- https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd
- https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5
- https://github.com/jquery-validation/jquery-validation
- https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3
What are Similar Vulnerabilities to CVE-2022-31147?
Similar Vulnerabilities: CVE-2021-43306 , CVE-2020-28198 , CVE-2021-3918 , CVE-2021-23351 , CVE-2021-23439
