Vulnerability Description
v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| V8N Project | V8N | < 1.5.1 |
Related Weaknesses (CWE)
References
- https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9PatchThird Party Advisory
- https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9Third Party Advisory
- https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/ExploitThird Party Advisory
- https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9PatchThird Party Advisory
- https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9Third Party Advisory
- https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/ExploitThird Party Advisory
FAQ
What is CVE-2022-35923?
CVE-2022-35923 is a vulnerability with a CVSS score of 7.5 (HIGH). v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to ...
How severe is CVE-2022-35923?
CVE-2022-35923 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-35923?
Check the references section above for vendor advisories and patch information. Affected products include: V8N Project V8N.