CVE-2022-35923 - Vulnerability Details - OpenCVE

v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
V8n Project	V8n

Configuration 1 [-]

cpe:2.3:a:v8n_project:v8n:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9
https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9
https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/

History

Tue, 22 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-08-02T20:10:11.000Z

Updated: 2025-04-22T17:45:31.262Z

Reserved: 2022-07-15T00:00:00.000Z

Link: CVE-2022-35923

Vulnrichment

Updated: 2024-08-03T09:51:58.523Z

NVD

Status : Modified

Published: 2022-08-02T20:15:09.947

Modified: 2024-11-21T07:11:58.283

Link: CVE-2022-35923

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "v8n", "vendor": "imbrn", "versions": [{"status": "affected", "version": "< 1.5.1"}]}], "descriptions": [{"lang": "en", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-02T20:10:11.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"tags": ["x_refsource_MISC"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}], "source": {"advisory": "GHSA-xrx9-gj26-5wx9", "discovery": "UNKNOWN"}, "title": "Inefficient Regular Expression Complexity in v8n", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-35923", "STATE": "PUBLIC", "TITLE": "Inefficient Regular Expression Complexity in v8n"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "v8n", "version": {"version_data": [{"version_value": "< 1.5.1"}]}}]}, "vendor_name": "imbrn"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9", "refsource": "CONFIRM", "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"name": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9", "refsource": "MISC", "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"name": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/", "refsource": "MISC", "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}]}, "source": {"advisory": "GHSA-xrx9-gj26-5wx9", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:58.523Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:40:02.652401Z", "id": "CVE-2022-35923", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T17:45:31.262Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-35923", "datePublished": "2022-08-02T20:10:11.000Z", "dateReserved": "2022-07-15T00:00:00.000Z", "dateUpdated": "2025-04-22T17:45:31.262Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:58.523Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-35923", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T15:40:02.652401Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:40:04.269Z"}}], "cna": {"title": "Inefficient Regular Expression Complexity in v8n", "source": {"advisory": "GHSA-xrx9-gj26-5wx9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "imbrn", "product": "v8n", "versions": [{"status": "affected", "version": "< 1.5.1"}]}], "references": [{"url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9", "tags": ["x_refsource_MISC"]}, {"url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-08-02T20:10:11.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, "source": {"advisory": "GHSA-xrx9-gj26-5wx9", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 1.5.1"}]}, "product_name": "v8n"}]}, "vendor_name": "imbrn"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9", "name": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9", "refsource": "CONFIRM"}, {"url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9", "name": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9", "refsource": "MISC"}, {"url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/", "name": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400: Uncontrolled Resource Consumption"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-35923", "STATE": "PUBLIC", "TITLE": "Inefficient Regular Expression Complexity in v8n", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-35923", "state": "PUBLISHED", "dateUpdated": "2025-04-22T17:45:31.262Z", "dateReserved": "2022-07-15T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-08-02T20:10:11.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:v8n_project:v8n:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "756E657C-AD87-49ED-B83B-5BD406633992", "versionEndExcluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing of the `lowercase()` function a payload of 'a' + 'a'.repeat(i) + 'A' with 32 leading characters took 29443 ms to execute. The same issue happens with uppercase(). Users are advised to upgrade. There are no known workarounds for this issue."}, {"lang": "es", "value": "v8n es una biblioteca de comprobaci\u00f3n de javascript. Las versiones de v8n anteriores a 1.5.1, presentaban una complejidad de expresi\u00f3n regular ineficiente en las expresiones regulares \"lowercase()\" y \"uppercase()\" que pod\u00eda conllevar a un ataque de denegaci\u00f3n de servicio. En las pruebas de la funci\u00f3n \"lowercase()\" una carga \u00fatil de \"a\" + \"a\".repeat(i) + \"A\" con 32 caracteres iniciales tardaba 29443 ms en ejecutarse. El mismo problema ocurre con uppercase(). Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema"}], "id": "CVE-2022-35923", "lastModified": "2024-11-21T07:11:58.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-02T20:15:09.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}