Severity: low

Regular Expression Denial of Service



npm-user-validate before version 1.0.1 is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.


The issue affects the email function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.


The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.


Restrict the character length to a reasonable degree before passing a value to .email(); Also, consider doing a more rigorous sanitizing/validation beforehand.


Upgrade to version 1.0.1 or later.

Have content suggestions? Visit

Advisory timeline

  1. published

    Advisory Published
    Oct 16th, 2020
  2. reported

    Reported by Yeting Li
    Oct 16th, 2020