Regular Expression Denial of Service (ReDoS)
Description
This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
npm-user-validate before 1.0.1 has a ReDoS vulnerability in email validation, causing exponential slowdown on long @-prefixed strings.
Vulnerability
The package npm-user-validate prior to version 1.0.1 contains a Regular Expression Denial of Service (ReDoS) vulnerability. The email validation regex /^.+@.+\..+$/ exhibits catastrophic backtracking when processing long input strings that begin with @ characters, leading to exponential runtime growth [1][2][3].
Exploitation
An attacker can exploit this by providing a crafted email string consisting of a long sequence of @ characters (e.g., 255 @s) to any application that uses npm-user-validate to validate email addresses. No authentication is required if the validation is performed on user-supplied input (e.g., during registration). The attack is purely remote and does not require special network position beyond the ability to send HTTP requests [2][3].
Impact
Successful exploitation causes the Node.js event loop to block for an extended period, effectively creating a denial-of-service condition. This can make the application unresponsive to legitimate users. The impact is limited to availability, as no data is compromised [2][3].
Mitigation
The vulnerability is fixed in version 1.0.1, which updates the regex to /^[^@]+@.+\..+$/ and adds a length check (max 254 characters) to prevent long inputs [2][4]. Users should update to the patched version immediately. No workarounds are advised [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
npm-user-validatenpm | < 1.0.1 | 1.0.1 |
Affected products
4- npm-user-validate/npm-user-validatedescription
- ghsa-coords3 versions
< 1.0.1+ 2 more
- (no CPE)range: < 1.0.1
- (no CPE)range: < 1.18.3-1.module_el8.3.0+2023+d2377ea3
- (no CPE)range: < 17-3.module_el8.4.0+2224+b07ac28e
Patches
1c8a87dac1a4cfix: update email validation
2 files changed · +12 −1
npm-user-validate.js+5 −1 modified@@ -11,6 +11,7 @@ var requirements = exports.requirements = { }, password: {}, email: { + length: 'Email length must be less then or equal to 254 characters long', valid: 'Email must be an email address' } } @@ -45,7 +46,10 @@ function username (un) { } function email (em) { - if (!em.match(/^.+@.+\..+$/)) { + if (em.length > 254) { + return new Error(requirements.email.length) + } + if (!em.match(/^[^@]+@.+\..+$/)) { return new Error(requirements.email.valid) }
test/email.test.js+7 −0 modified@@ -7,6 +7,13 @@ test('email misses an @', function (t) { t.end() }) +test('email is longer then 254 characters', function (t) { + var str = '@'.repeat(255) + var err = v(str) + t.type(err, 'object') + t.end() +}) + test('email misses a dot', function (t) { var err = v('name@domain') t.type(err, 'object')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-pw54-mh39-w3hcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7754ghsaADVISORY
- github.com/npm/npm-user-validate/commit/c8a87dac1a4cc6988b5418f30411a8669bef204eghsax_refsource_MISCWEB
- github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479pghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1019353ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-NPMUSERVALIDATE-1019352ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.