CVE-2021-36716 – is-email

Package

Manager: npm
Name: is-email
Vulnerable Version: >=0 <1.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00468 pctl0.63567

Details

Improper Input Validation in is-email is-email helps validate an email address. A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. An attacker that is able to provide crafted input to the isEmail(input) function may cause an application to consume an excessive amount of CPU.

Metadata

Created: 2021-12-10T17:25:21Z
Modified: 2022-05-04T03:12:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-j377-2x76-558h/GHSA-j377-2x76-558h.json
CWE IDs: ["CWE-20", "CWE-400"]
Alternative ID: GHSA-j377-2x76-558h
Finding: F184
Auto approve: 1