Listen to this Post
The CVE-2024-43651 vulnerability in Valibot is a ReDoS flaw within the `emoji()` validator’s `EMOJI_REGEX` pattern. The regex is structured with overlapping character classes, specifically the general `\p{Emoji_Presentation}` class overlaps with more specific classes like `[\u{1F1E6}-\u{1F1FF}]` (for flags) and \p{Emoji_Modifier_Base}. When a maliciously crafted string, such as a sequence of 49 regional indicator symbols followed by a non-matching character (‘0’), is processed, the regex engine suffers from catastrophic backtracking. The ambiguity in the pattern forces the engine to explore an exponential number of possible paths to find a match, which ultimately fails. This results in the CPU being locked for minutes on a short input string, causing a complete denial of service for the application instance processing the request.
Platform: Valibot
Version: < 0.42.1
Vulnerability: ReDoS
Severity: Critical
date: 2024-10-28
Prediction: Patch expected 2024-10-30
What Undercode Say:
npm audit --production
// PoC Code to test vulnerability
import as v from 'valibot';
const schema = v.object({ x: v.pipe(v.string(), v.emoji()) });
const attackString = '\u{1F1E6}'.repeat(49) + '0';
v.parse(schema, {x: attackString });
How Exploit:
Craft short string with regional indicators and a trailing non-emoji. Send via any form using `emoji()` validation.
Protection from this CVE
Update to Valibot v0.42.1. The patch uses negative lookaheads to resolve class overlap.
Impact:
Application Denial of Service. CPU exhaustion blocks event loop.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
