CVE-2022-35923 - OpenCVE

v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
V8n Project	V8n

Configuration 1 [-]

cpe:2.3:a:v8n_project:v8n:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9
https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9
https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-02T20:10:11

Updated: 2024-08-03T09:51:58.523Z

Reserved: 2022-07-15T00:00:00

Link: CVE-2022-35923

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-08-02T20:15:09.947

Modified: 2023-07-21T20:49:08.377

Link: CVE-2022-35923

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "v8n", "vendor": "imbrn", "versions": [{"status": "affected", "version": "< 1.5.1"}]}], "descriptions": [{"lang": "en", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-02T20:10:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"tags": ["x_refsource_MISC"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}], "source": {"advisory": "GHSA-xrx9-gj26-5wx9", "discovery": "UNKNOWN"}, "title": "Inefficient Regular Expression Complexity in v8n", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-35923", "STATE": "PUBLIC", "TITLE": "Inefficient Regular Expression Complexity in v8n"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "v8n", "version": {"version_data": [{"version_value": "< 1.5.1"}]}}]}, "vendor_name": "imbrn"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9", "refsource": "CONFIRM", "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"name": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9", "refsource": "MISC", "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"name": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/", "refsource": "MISC", "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}]}, "source": {"advisory": "GHSA-xrx9-gj26-5wx9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:58.523Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-35923", "datePublished": "2022-08-02T20:10:11", "dateReserved": "2022-07-15T00:00:00", "dateUpdated": "2024-08-03T09:51:58.523Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:v8n_project:v8n:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "756E657C-AD87-49ED-B83B-5BD406633992", "versionEndExcluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "v8n es una biblioteca de comprobaci\u00f3n de javascript. Las versiones de v8n anteriores a 1.5.1, presentaban una complejidad de expresi\u00f3n regular ineficiente en las expresiones regulares \"lowercase()\" y \"uppercase()\" que pod\u00eda conllevar a un ataque de denegaci\u00f3n de servicio. En las pruebas de la funci\u00f3n \"lowercase()\" una carga \u00fatil de \"a\" + \"a\".repeat(i) + \"A\" con 32 caracteres iniciales tardaba 29443 ms en ejecutarse. El mismo problema ocurre con uppercase(). Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-35923", "lastModified": "2023-07-21T20:49:08.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-08-02T20:15:09.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}