Miggo Logo
Miggo Vulnerability Database
CVE-2022-1929

CVE-2022-1929: Regular expression denial of service in devcert

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-1929
GHSA ID
GHSA-fp36-299x-pwmw
EPSS Score
0.42639%
CWE
CWE-1333
Published
6/3/2022
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
devcertnpm< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the VALID_DOMAIN regex pattern used in domain validation. The commit diff shows: 1) Removal of VALID_DOMAIN from constants.ts 2) Replacement of VALID_DOMAIN.test() with isValidDomain in certificateFor function. The CWE-1333 classification confirms this was an inefficient regex issue. The certificateFor function was the entry point for attacker-controlled input validation using this vulnerable regex, making it the clear vulnerable function. The high confidence comes from direct evidence of regex replacement in the patch and CVE's explicit mention of certificateFor as the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *xpon*nti*l R**oS (R**ul*r *xpr*ssion **ni*l o* S*rvi**) **n ** tri***r** in t** **v**rt npm p**k***, w**n *n *tt**k*r is **l* to supply *r*itr*ry input to t** **rti*i**t**or m*t*o*

Reasoning

T** vuln*r**ility st*mm** *rom t** V*LI*_*OM*IN r***x p*tt*rn us** in *om*in v*li**tion. T** *ommit *i** s*ows: *) R*mov*l o* V*LI*_*OM*IN *rom *onst*nts.ts *) R*pl***m*nt o* V*LI*_*OM*IN.t*st() wit* isV*li**om*in in **rti*i**t**or *un*tion. T** *W*-
CVE-2022-1929: devcert certificateFor ReDoS | Miggo