8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2020-26308

GHSA ID

GHSA-rv73-9c8w-jp4c

EPSS Score

0.53915%

CWE

CWE-1333

Published

10/26/2024

Updated

10/28/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26308

CVE-2020-26308: validate.js Regular Expression Denial of Service vulnerability

Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-26308

CVE-2020-26308:

8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2020-26308

GHSA ID

GHSA-rv73-9c8w-jp4c

EPSS Score

0.53915%

CWE

CWE-1333

Published

10/26/2024

Updated

10/28/2024

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
validate.js	npm	<= 0.13.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The GHSL-2020-302 advisory explicitly identifies the email validation regex as vulnerable through a PoC demonstrating ReDoS.
The CVE description confirms the presence of ReDoS-vulnerable regex patterns.
While no exact function names are provided, email validation is a core feature of validation libraries, and the provided PoC directly targets email validation logic.
The archived GitHub issue (#342) and lack of patches corroborate the presence of unresolved regex issues in the email validator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-26308: validate.js Regular Expression Denial of Service vulnerability

CVE-2020-26308:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.7

8.7

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2020-26308: validate.js Regular Expression Denial of Service vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI