VYPR
← All advisories
High severity7.5NVD Advisory· Published Sep 6, 2017· Updated May 13, 2026

CVE-2015-7294

CVE-2015-7294

Description

ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ldapauth-forknpm
< 2.3.32.3.3
ldapauthnpm
>= 0

Affected products

1

Patches

1
3feea43e2436

Sanitize user input

https://github.com/vesse/node-ldapauth-forkVesa PoikajärviAug 14, 2015via ghsa
commit
2 files changed · +16 1
  • CHANGES.md+4 0 modified
    @@ -1,5 +1,9 @@
 # node-ldapauth-fork Changelog
 
+## 2.3.3
+
+- [issue #20] Sanitize user input
+
 ## 2.3.2
 
 - [issue #19] Added messages to options asserts
  • lib/ldapauth.js+12 1 modified
    @@ -219,6 +219,17 @@ LdapAuth.prototype._search = function (searchBase, options, callback) {
   });
 };
 
+// https://tools.ietf.org/search/rfc4515#section-3
+var sanitizeInput = function (username) {
+  return username
+    .replace(/\*/g, '\\2a')
+    .replace(/\(/g, '\\28')
+    .replace(/\)/g, '\\29')
+    .replace(/\\/g, '\\5c')
+    .replace(/\0/g, '\\00')
+    .replace(/\//g, '\\2f');
+};
+
 /**
  * Find the user record for the given username.
  *
@@ -233,7 +244,7 @@ LdapAuth.prototype._findUser = function (username, callback) {
     return callback("empty username");
   }
 
-  var searchFilter = self.opts.searchFilter.replace(/{{username}}/g, username);
+  var searchFilter = self.opts.searchFilter.replace(/{{username}}/g, sanitizeInput(username));
   var opts = {filter: searchFilter, scope: self.opts.searchScope};
   if (self.opts.searchAttributes) {
     opts.attributes = self.opts.searchAttributes;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.