Regular Expression Denial of Servicenpm-user-validate
npm-user-validate before version
1.0.1 is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with
The issue affects the
The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.
Restrict the character length to a reasonable degree before passing a value to
.email(); Also, consider doing a more rigorous sanitizing/validation beforehand.
Upgrade to version 1.0.1 or later.
publishedAdvisory PublishedOct 16th, 2020
reportedReported by Yeting LiOct 16th, 2020