Vuelidate Inefficient Regular Expression Complexity Vulnerability Allowing ReDoS

A denial-of-service vulnerability has been identified in the Vuelidate library, specifically within the URL validation function of the @vuelidate/validators package. This vulnerability arises from inefficient regular expression processing, which can be exploited by providing crafted input that causes excessive CPU consumption. The issue has been fixed in version 2.0.4 of the @vuelidate/validators package.

Impact

Exploitation of this vulnerability leads to a regular expression denial-of-service condition, where an attacker can cause significant CPU resource exhaustion, potentially leading to application crashes.

Reproduction

To reproduce this vulnerability, install the @vuelidate/validators package and use the URL validator function with specially crafted input designed to exploit the regular expression's inefficiency. This can be done by creating a Node.js script that measures the time taken to validate the input, demonstrating the excessive resource consumption.

Remediation

Users can upgrade to version 2.0.4 of the @vuelidate/validators package to address this vulnerability.