Improper Input Validation Affecting personnummer package, versions <3.0.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-PERSONNUMMER-3030039
  • published22 Sept 2022
  • disclosed21 Sept 2022
  • creditNiklas Sköldmark

Introduced: 21 Sep 2022

CVE NOT AVAILABLE CWE-20  (opens in a new tab)

How to fix?

Upgrade personnummer to version 3.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Improper Input Validation via the regular expression allowing the first three digits in the last four digits of the personnummer to be 000, which is invalid. It is exploitable when the user relies on the four last digits of the personnummer to be a _real_ personnummer.

Workarounds

If upgrading to the fixed version is not possible, a check on the last four digits can be made to make sure it's not 000x.

CVSS Scores

version 3.1