CVE-2018-1107
nodejs-is-my-json-valid: ReDoS when validating JSON fields with email format
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
It was discovered that the is-my-json-valid JavaScript library used an inefficient regular expression to validate JSON fields defined to have email format. A specially crafted JSON file could cause it to consume an excessive amount of CPU time when validated.
Se detectó que la biblioteca de JavaScript is-my-json-valid usaba una expresión regular ineficiente para comprobar los campos JSON definidos para tener formato de correo electrónico. Un archivo JSON especialmente diseñado podría hacer que consuma una cantidad excesiva de tiempo de CPU cuando se comprueba.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-12-04 CVE Reserved
- 2021-03-30 CVE Published
- 2023-12-13 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://snyk.io/vuln/npm:is-my-json-valid:20180214 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1546357 | 2021-04-02 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2018-1107 | 2021-10-19 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Is-my-json-valid Project Search vendor "Is-my-json-valid Project" | Is-my-json-valid Search vendor "Is-my-json-valid Project" for product "Is-my-json-valid" | < 1.4.1 Search vendor "Is-my-json-valid Project" for product "Is-my-json-valid" and version " < 1.4.1" | node.js |
Affected
| ||||||
| Is-my-json-valid Project Search vendor "Is-my-json-valid Project" | Is-my-json-valid Search vendor "Is-my-json-valid Project" for product "Is-my-json-valid" | >= 2.0.0 < 2.17.2 Search vendor "Is-my-json-valid Project" for product "Is-my-json-valid" and version " >= 2.0.0 < 2.17.2" | node.js |
Affected
| ||||||