Usage of validator module vulnerable version

mreinstein / alexa-verifier

✓ Verify HTTP requests sent to an Alexa skill are sent from Amazon

MIT License

76 stars 23 forks source link

Usage of validator module vulnerable version #66

Closed mallikde-kore closed 2 years ago

mallikde-kore commented 3 years ago

Issue:

validator package versions before 13.6.0 are vulnerable to ReDOS (Regular Expression Denial of Service) via isEmail and isHSL. The vulnerability can happen when checking if the crafted string is an email.

Suggestion: Please update validator package to latest version to fix this vulnerability.

dblock commented 3 years ago

@mallikde-kore You could help by making a PR, please?

mreinstein commented 3 years ago

we don't use either of those validators, just isBase64 so we should be ok. That said I'd still gladly update the package version if it doesn't break anything.

mreinstein commented 2 years ago

Should be resolved since the package.json is pointing at ^13.7.0 now