LDAP Injection

Vulnerability

Overview The package is-user-valid, a simple service for checking user validity in LDAP, is vulnerable to LDAP injection in all versions [1][2]. The vulnerability stems from improper sanitization of user input before it is used to construct LDAP queries, allowing an attacker to inject arbitrary LDAP directives.

Attack

Vector and Exploitation An attacker can exploit this by sending crafted user input to the application's authentication or user validation endpoint. No special privileges are needed; the attacker only needs network access to a service using this library. The injected LDAP statements modify the intended query logic.

Impact

Successful LDAP injection can lead to authentication bypass, allowing an attacker to log in as any user without knowing their credentials, or to information exposure by manipulating queries to retrieve sensitive directory data [1][2].

Mitigation

Status As of the latest disclosure, there is no fixed version for the is-user-valid package [2]. The recommended action is to avoid using the package or to implement proper input validation and parameterized LDAP queries as a workaround.