Skip to content
Browse files

security: fix catastrophic backtracking

The regex used to validate the user portion was vulnerable
to catastrophic backtracking.

This made valid-email vulnerable to a weak REDOS attack.
Each malicious input blocks the event loop for about 0.1 seconds.

I tweaked the behavior of the regex pattern.

It now accepts double-quote and space ('"' and ' ', respectively)
characters anywhere in the user portion.

It used to accept a broader range of characters provided they were escaped.

To retain the original language, I suspect a custom parser would be necessary.
Seems like overkill for this module.
  • Loading branch information...
davisjam authored and johnhenry committed Feb 26, 2018
1 parent 7f30ae7 commit 624ffa60b42bed8c577a679d682dda286b4603e6
Showing with 3 additions and 6 deletions.
  1. +3 −6 lib/valid-email.js
@@ -51,12 +51,9 @@ module.exports = function valid(email) {
if (domain.match(/\\.\\./)) {
return false; // domain part has two consecutive dots
if (
.replace("\\\\", "")
) {
if (!user.replace("\\\\", "").match(/^"(\\\\"|[^"])+"$/)) return false;
if (!user.match(/^[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.\-" ]+$/)) {
return false; // user part has invalid characters

return true;

0 comments on commit 624ffa6

Please sign in to comment.
You can’t perform that action at this time.