CVE-2021-21267
HIGHschema-inspector < 2.0.0 - Denial of Service via Email Validation ReDoS
Title source: llmDescription
Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f38p-c2gq-4pmr
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f
Exploit, Third Party Advisory x_refsource_misc
https://www.npmjs.com/package/schema-inspector
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210528-0006/
Scores
CVSS v3
7.5
EPSS
0.0087
EPSS Percentile
75.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
CWE-20
Status
published
Products (4)
netapp/e-series_performance_analyzer
netapp/oncommand_insight
npm/schema-inspector
0 - 2.0.0npm
schema-inspector_project/schema-inspector
< 2.0.0
Published
Mar 19, 2021
Tracked Since
Feb 18, 2026