CVE-2021-3765 – CVE-2021-3765 is a regular expression denial of... (How to Fix)

Q: What is the severity of CVE-2021-3765?

CVE-2021-3765 has a CVSS score of 7.5 (HIGH). CVE-2021-3765 is a regular expression denial of service (ReDoS) vulnerability in validator.js, a popular input validation library for Node.js. Attackers can cause denial of service by sending specially crafted input that triggers inefficient regular expression evaluation, consuming excessive CPU resources. This affects any application using vulnerable versions of validator.js for input validation.

📋 TL;DR

CVE-2021-3765 is a regular expression denial of service (ReDoS) vulnerability in validator.js, a popular input validation library for Node.js. Attackers can cause denial of service by sending specially crafted input that triggers inefficient regular expression evaluation, consuming excessive CPU resources. This affects any application using vulnerable versions of validator.js for input validation.

💻 Affected Systems

Products:

validator.js

Versions: All versions before 13.7.0

Operating Systems: All platforms running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using validator.js functions like isEmail(), isURL(), or other validation methods with user-controlled input is vulnerable.

📦 What is this software?

Validator by Validator Project

View all CVEs affecting Validator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting multiple services if validator.js is used in shared infrastructure.

🟠

Likely Case

Degraded performance or temporary service disruption for affected endpoints, requiring application restart.

🟢

If Mitigated

Minimal impact with proper input validation limits and resource monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing applications using validator.js for user input validation are directly exposed to crafted malicious input.

🏢 Internal Only: MEDIUM - Internal applications are less likely to be targeted but could still be affected by malicious internal actors or compromised systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted input to endpoints using validator.js functions. No authentication needed if vulnerable endpoints are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.7.0 and later

Vendor Advisory: https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1

Restart Required: Yes

Instructions:

1. Update validator.js dependency to version 13.7.0 or later. 2. Run 'npm update validator.js' or 'yarn upgrade validator.js'. 3. Restart the Node.js application. 4. Test validation functions to ensure compatibility.

🔧 Temporary Workarounds

Input length limiting

all

Implement maximum length checks on all user inputs before passing to validator.js functions

Rate limiting

all

Implement request rate limiting on endpoints using validator.js to prevent DoS attacks

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block suspicious input patterns
Deploy resource monitoring and automatic restart mechanisms for CPU exhaustion scenarios

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list validator.js' to see installed version. If version is below 13.7.0, the system is vulnerable.

Check Version:

npm list validator.js | grep validator.js

Verify Fix Applied:

After updating, verify version is 13.7.0 or higher with 'npm list validator.js'. Test validation endpoints with normal and edge-case inputs.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes on Node.js processes
Increased request times on validation endpoints
Application crashes or restarts

Network Indicators:

Unusually large or complex input payloads to validation endpoints
Rapid repeated requests to same validation endpoint

SIEM Query:

source="application.logs" AND ("CPU spike" OR "validation timeout" OR "validator.js")

📊 Metadata

CVE ID: CVE-2021-3765

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: November 2, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1 Patch,Third Party Advisory
https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1 Patch,Third Party Advisory
https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3765, you might also want to check these: