VDB
KO
LOW

GHSA-xgh6-85xh-479p

Regular Expression Denial of Service in npm-user-validate

Details

`npm-user-validate` before version `1.0.1` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with `@` characters.

### Impact The issue affects the `email` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.

### Patches The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.

### Workarounds Restrict the character length to a reasonable degree before passing a value to `.emal()`; Also, consider doing a more rigorous sanitizing/validation beforehand.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / npm-user-validate
Introduced in: 0 Fixed in: 1.0.1
Fix npm install npm-user-validate@1.0.1

References