CVE-2021-32838
📋 TL;DR
Flask-RESTX versions before 0.5.1 contain a vulnerable regular expression for email validation that can be exploited for Regular Expression Denial of Service (ReDoS). Attackers can craft malicious email inputs that cause excessive CPU consumption, potentially making the application unresponsive. This affects any system using Flask-RESTX with email validation enabled.
💻 Affected Systems
- Flask-RESTX
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Flask Restx by Flask Restx Project
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting multiple users or downstream services.
Likely Case
Degraded performance or temporary unavailability of affected endpoints when targeted with malicious inputs.
If Mitigated
Minimal impact with proper input validation, rate limiting, and monitoring in place.
🎯 Exploit Status
Exploitation requires sending specially crafted email strings to endpoints using email validation. The vulnerable regex pattern is publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.5.1
Vendor Advisory: https://github.com/advisories/GHSA-3q6g-vf58-7m4g
Restart Required: Yes
Instructions:
1. Update Flask-RESTX: pip install --upgrade flask-restx>=0.5.1
2. Restart your Flask application
3. Verify the update with: pip show flask-restx
🔧 Temporary Workarounds
Disable email validation
allRemove or bypass the vulnerable email validation regex in your application code
Modify your Flask-RESTX code to avoid using the email validation input
Implement custom email validation
allReplace the vulnerable regex with a more efficient email validation method
Implement your own email validation using a simpler regex or validation library
🧯 If You Can't Patch
- Implement strict rate limiting on endpoints using email validation
- Deploy WAF rules to block malicious patterns in email inputs
🔍 How to Verify
Check if Vulnerable:
Check if Flask-RESTX version is below 0.5.1 and if email validation is used in your applicationCheck Version:
pip show flask-restx | grep VersionVerify Fix Applied:
Confirm Flask-RESTX version is 0.5.1 or higher and test email validation with edge cases📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for email validation requests
- High CPU usage spikes on application servers
- Multiple failed email validation attempts with similar patterns
Network Indicators:
- Repeated requests with malformed email addresses to validation endpoints
- Unusual traffic patterns to email validation endpoints
SIEM Query:
source="application_logs" AND (message="email validation" OR message="email_regex") AND duration>5s🔗 References
- https://github.com/advisories/GHSA-3q6g-vf58-7m4g
- https://github.com/python-restx/flask-restx/blob/fd99fe11a88531f5f3441a278f7020589f9d2cc0/flask_restx/inputs.py#L51
- https://github.com/python-restx/flask-restx/commit/bab31e085f355dd73858fd3715f7ed71849656da
- https://github.com/python-restx/flask-restx/issues/372
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5UCTFVDU3677B5OBGK4EF5NMUPJLL6SQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUD6SWZLX52AAZUHDETJ2CDMQGEPGFL3/
- https://pypi.org/project/flask-restx/
- https://github.com/advisories/GHSA-3q6g-vf58-7m4g
- https://github.com/python-restx/flask-restx/blob/fd99fe11a88531f5f3441a278f7020589f9d2cc0/flask_restx/inputs.py#L51
- https://github.com/python-restx/flask-restx/commit/bab31e085f355dd73858fd3715f7ed71849656da
- https://github.com/python-restx/flask-restx/issues/372
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5UCTFVDU3677B5OBGK4EF5NMUPJLL6SQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUD6SWZLX52AAZUHDETJ2CDMQGEPGFL3/
- https://pypi.org/project/flask-restx/
