Regular Expression Denial of Service (ReDoS)
Description
This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The @absolunet/kafe package before 3.2.10 is vulnerable to ReDoS via crafted invalid emails, causing denial of service.
Vulnerability
Overview The vulnerability in the @absolunet/kafe package before version 3.2.10 is a Regular Expression Denial of Service (ReDoS) flaw. The package's email validation function uses a regular expression that can be forced into catastrophic backtracking when processing specially crafted invalid email strings [1][2]. This causes the application to consume excessive CPU time, leading to a denial of service.
Exploitation
Conditions An attacker can exploit this vulnerability by sending a payload consisting of a long, crafted string that triggers the regex engine's exponential time complexity. No authentication is required if the email validation is performed on user-supplied input, such as in a registration form or contact form. The attack can be launched remotely over the network [2].
Impact
Successful exploitation results in the application becoming unresponsive or crashing, denying service to legitimate users. The impact is limited to availability; confidentiality and integrity are not directly affected.
Mitigation
The issue is fixed in version 3.2.10 of the package. Users should upgrade to this version or later. As of the publication date, no workarounds are documented [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@absolunet/kafenpm | < 3.2.10 | 3.2.10 |
Affected products
3- @absolunet/kafe/@absolunet/kafedescription
Patches
1c644c798bfcdSwitch email pattern to practical implementation of RFC 5322
1 file changed · +4 −1
src/kafe/string-validate.js+4 −1 modified@@ -46,7 +46,10 @@ validate.isEmail = function(str) { str = str.replace(/^\s*|\s*$/g, ''); str = str.replace(/^\t*|\t*$/g, ''); - return (/^\w+([\.\+-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/.test(str)); + + // Practical implementation of RFC 5322 + // https://www.regular-expressions.info/email.html + return (/^[a-z0-9!#$%&'*+/=?^_‘{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_‘{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/.test(str)); };
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hgpf-97c5-74fcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7761ghsaADVISORY
- github.com/absolunet/kafe/commit/c644c798bfcdc1b0bbb1f0ca59e2e2664ff3fdd0%23diff-f0f4b5b19ad46588ae9d7dc1889f681252b0698a4ead3a77b7c7d127ee657857ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-ABSOLUNETKAFE-1017403ghsax_refsource_MISCWEB
- www.npmjs.com/package/@absolunet/kafeghsaWEB
News mentions
0No linked articles in our index yet.