Inefficient Regular Expression Complexity in validatorjs/validator.js
Description
validator.js is vulnerable to Inefficient Regular Expression Complexity
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The rtrim function in validator.js before 13.6.6 is vulnerable to ReDoS via a crafted string with many trailing whitespace characters.
Vulnerability
The rtrim function in validator.js before version 13.6.6 used a regular expression /(\s)+$/g for trimming whitespace. This regex can cause catastrophic backtracking on strings with many trailing whitespace characters, leading to a Regular Expression Denial of Service (ReDoS) attack. [1][3]
Exploitation
An attacker can provide a string with a large number of whitespace characters (e.g., spaces) at the end, causing the regex engine to take exponential time to evaluate. No authentication or special privileges are needed; simply calling rtrim on such input triggers the slowdown. [3][4]
Impact
Successful exploitation allows an attacker to cause high CPU consumption, potentially leading to denial of service for the application using validator.js. The vulnerability has a CVSS base score of 7.5 (High) with availability impact. [2]
Mitigation
The fix was implemented in commit 496fc8b2 [3] and released in validator.js version 13.6.6. Users should upgrade to version 13.6.6 or later. There are no known workarounds other than avoiding the rtrim function with untrusted input before patching. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
validatornpm | < 13.7.0 | 13.7.0 |
Affected products
2- validatorjs/validatorjs/validator.jsv5Range: unspecified
Patches
1496fc8b2a7f5fix(rtrim): remove regex to prevent ReDOS attack (#1738)
1 file changed · +12 −3
src/lib/rtrim.js+12 −3 modified@@ -2,7 +2,16 @@ import assertString from './util/assertString'; export default function rtrim(str, chars) { assertString(str); - // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping - const pattern = chars ? new RegExp(`[${chars.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}]+$`, 'g') : /(\s)+$/g; - return str.replace(pattern, ''); + if (chars) { + // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping + const pattern = new RegExp(`[${chars.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}]+$`, 'g'); + return str.replace(pattern, ''); + } + // Use a faster and more safe than regex trim method https://blog.stevenlevithan.com/archives/faster-trim-javascript + let strIndex = str.length - 1; + while (/\s/.test(str.charAt(strIndex))) { + strIndex -= 1; + } + + return str.slice(0, strIndex + 1); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qgmg-gppg-76g5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3765ghsaADVISORY
- github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1ghsax_refsource_MISCWEB
- huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.