CVE-2021-43805: ReDos vulnerability on guest checkout email validation
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.31625%
CWE
Published
12/7/2021
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
solidus_core | rubygems | < 2.11.13 | 2.11.13 |
solidus_core | rubygems | >= 3.0.0, < 3.0.4 | 3.0.4 |
solidus_core | rubygems | >= 3.1.0, < 3.1.4 | 3.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems directly from the EMAIL_REGEXP constant in Spree::EmailValidator, which used an inefficient regex pattern. The commit diff shows this regex was replaced with URI::MailTo::EMAIL_REGEXP to mitigate ReDos. The reproduction example demonstrates how this specific regex caused exponential backtracking, and the CWE-1333 classification confirms it's an inefficient regex issue. No other functions are implicated in the vulnerability description or patches.