Miggo Logo

CVE-2021-23388: Regular expression denial of service in forms

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.58177%
Published
6/7/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
formsnpm< 1.3.21.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was specifically in the email validation logic, as indicated by CVE-2021-23388's description and the GitHub PR #214 which replaced the regex-based validator. The commit diff shows the vulnerable regex was removed from exports.email in validators.js and replaced with a library call. The original regex pattern was complex and susceptible to ReDoS, as confirmed by the Snyk advisory explaining catastrophic backtracking scenarios.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** *orms ***or* *.*.* *r* vuln*r**l* to R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) vi* *m*il v*li**tion.

Reasoning

T** vuln*r**ility w*s sp**i*i**lly in t** *m*il v*li**tion lo*i*, *s in*i**t** *y *V*-****-*****'s **s*ription *n* t** *it*u* PR #*** w*i** r*pl**** t** r***x-**s** v*li**tor. T** *ommit *i** s*ows t** vuln*r**l* r***x w*s r*mov** *rom `*xports.*m*il