CVE-2022-35923

02.08.2022, 20:15

v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 62%

Vendor	Product	Version
v8n_project	v8n	𝑥 < 1.5.1

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

References

https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9

https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9

https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/

https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9

https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9

https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/