Valibot Regular Expression Denial-of-Service Vulnerability in Emoji Validation

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in Valibot versions 0.31.0 prior to 1.1.0. The issue arises in the EMOJI_REGEX used for emoji validation, where overlapping character classes create ambiguity, leading to catastrophic backtracking. This allows a short, crafted string to be processed by the regex engine in a way that consumes excessive CPU time, causing a Denial-of-Service condition for the application.

Impact

Exploitation of this vulnerability can lead to a significant increase in CPU usage, causing the application to become unresponsive for an extended period. This disruption can block server resources, particularly affecting the event loop in web servers, and bypass typical input length restrictions.

Reproduction

The vulnerability can be reproduced by using Valibot's emoji validation on a string crafted to exploit the regex ambiguity. This can be done by creating a string that overlaps with the regional indicator symbols in a way that causes the regex engine to experience catastrophic backtracking, such as by repeating certain characters to the edge of the regex's matching capabilities.

Remediation

Users can upgrade to Valibot version 1.2.0, which addresses the vulnerability by modifying the EMOJI_REGEX to eliminate the overlapping character classes that caused the issue.