CVE-2021-23335
📋 TL;DR
CVE-2021-23335 is an LDAP injection vulnerability in the is-user-valid npm package that allows attackers to manipulate LDAP queries. This can lead to authentication bypass or unauthorized access to sensitive LDAP directory information. Any application using vulnerable versions of this package for user validation is affected.
💻 Affected Systems
- is-user-valid npm package
📦 What is this software?
Is User Valid by Is User Valid Project
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass allowing attackers to log in as any user, plus extraction of all LDAP directory data including passwords and sensitive attributes.
Likely Case
Authentication bypass for specific user accounts and limited information disclosure from LDAP directory.
If Mitigated
No impact if proper input validation and LDAP query sanitization are implemented separately.
🎯 Exploit Status
LDAP injection is well-understood and easy to exploit. Public proof-of-concept exists showing authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to latest version (check npm registry)
Vendor Advisory: https://snyk.io/vuln/SNYK-JS-ISUSERVALID-1056766
Restart Required: Yes
Instructions:
1. Run 'npm update is-user-valid' or update package.json to latest version. 2. Restart your Node.js application. 3. Test authentication functionality.
🔧 Temporary Workarounds
Input Validation Wrapper
allImplement strict input validation before passing parameters to is-user-valid
// JavaScript example: Validate username contains only alphanumeric characters
if (!/^[a-zA-Z0-9]+$/.test(username)) { throw new Error('Invalid username'); }
LDAP Query Sanitization
allEscape special LDAP characters before passing to is-user-valid
// JavaScript example: Escape LDAP special characters
function escapeLDAP(input) {
return input.replace(/[\\*()\u0000]/g, '\\$&');
}
🧯 If You Can't Patch
- Implement application-level input validation to reject malicious characters
- Use a web application firewall (WAF) with LDAP injection rules
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list is-user-valid' to see installed version. Compare with latest version on npm registry.Check Version:
npm list is-user-validVerify Fix Applied:
After update, verify with 'npm list is-user-valid' showing latest version. Test authentication with special characters in username.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with special characters in username field
- Unusual LDAP query patterns in application logs
Network Indicators:
- Multiple authentication attempts with varying special characters
- Unusually large LDAP responses
SIEM Query:
source="app_logs" AND (username="*" OR username="(" OR username=")" OR username="\\") AND action="authenticate"