Miggo Logo
Miggo Vulnerability Database
CVE-2023-39619

CVE-2023-39619:
Inefficient Regular Expression Complexity in node-email-check

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-39619
GHSA ID
GHSA-9242-6p36-6256
EPSS Score
0.38636%
CWE
CWE-1333
Published
10/25/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-email-checknpm<= 1.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability documentation explicitly mentions the scpSyntax component as the attack vector
  2. The provided PoC in the Gist demonstrates the attack through isValidSync
  3. NPM documentation shows isValidSync performs synchronous validation without MX checks, directly engaging the regex
  4. The GitHub issue #2 confirms the regex vulnerability manifests in this function
  5. While the async isValid() might also be vulnerable, the sync version is explicitly demonstrated and more likely to be used in contexts where ReDoS would be impactful

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R**os in NPMJS No** *m*il ****k v.*.*.* *llows *n *tt**k*r to **us* * **ni*l o* s*rvi** vi* * *r**t** strin* to t** s*pSynt*x *ompon*nt.

Reasoning

*. T** vuln*r**ility *o*um*nt*tion *xpli*itly m*ntions t** s*pSynt*x *ompon*nt *s t** *tt**k v**tor *. T** provi*** Po* in t** *ist **monstr*t*s t** *tt**k t*rou** isV*li*Syn* *. NPM *o*um*nt*tion s*ows isV*li*Syn* p*r*orms syn**ronous v*li**tion wit