CVE-2020-7761:
Regular expression denial of service in @absolunet/kafe
5.3
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
5/10/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
JavaScriptTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @absolunet/kafe | npm | < 3.2.10 | 3.2.10 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from the email validation regex in validate.isEmail. The patch explicitly replaces this regex with a more secure implementation. This is the only function modified in the security fix commit, and it directly processes user input (email strings). During exploitation, this function would appear in profiler data as it would be stuck processing malicious input through the vulnerable regex.