Login Sign Up

CVE-2021-36716

7.5 HIGH

📋 TL;DR

CVE-2021-36716 is a regular expression denial of service (ReDoS) vulnerability in the Segment is-email npm package for Node.js. Attackers can cause excessive CPU consumption by providing specially crafted email input to the isEmail() function. This affects any Node.js application using vulnerable versions of the is-email package.

💻 Affected Systems

Products:
  • Segment is-email npm package
Versions: All versions before 1.0.1
Operating Systems: All operating systems running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Any Node.js application that imports and uses the is-email package with vulnerable versions is affected.

📦 What is this software?

Is Email by Segment

View all CVEs affecting Is Email →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially causing service disruption and denial of service to legitimate users.

🟠

Likely Case

Degraded application performance, increased response times, and potential service instability when malicious input is processed.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated package versions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to provide input to the isEmail() function, which is typically exposed through user input fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.1 and later

Vendor Advisory: https://segment.com/docs/release_notes/2021-07-13-cve-2021-36716/

Restart Required: Yes

Instructions:

1. Update package.json to require is-email version 1.0.1 or later. 2. Run 'npm update is-email' or 'yarn upgrade is-email'. 3. Restart the Node.js application.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement additional input validation to reject suspicious email patterns before passing to isEmail() function.

Rate limiting

all

Implement rate limiting on endpoints that use the isEmail() function to prevent mass exploitation.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block suspicious email patterns
  • Monitor CPU usage and set alerts for abnormal spikes in isEmail() function calls

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list is-email' to see installed version. If version is below 1.0.1, the system is vulnerable.

Check Version:

npm list is-email | grep is-email

Verify Fix Applied:

After updating, verify the installed version is 1.0.1 or higher using 'npm list is-email'.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage spikes
  • Increased response times for email validation endpoints
  • Multiple failed or suspicious email validation attempts

Network Indicators:

  • Increased traffic to email validation endpoints
  • Patterns of repeated similar requests with crafted email addresses

SIEM Query:

source="application_logs" AND (message="isEmail" OR message="email validation") AND (cpu_usage > 90 OR response_time > 5000ms)

📊 Metadata

CVE ID: CVE-2021-36716
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: July 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36716, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)