Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17
Unsafe validation RegEx in
EmailField component in
com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.
Regular expression used on server side to validate input of email fields (
com.vaadin.flow.component.textfield.EmailField) is subjected to exponential backtracking, which may result in unbound resource consumption and denial of service. To perform such an attack it is enough to enter a malicious email address into any email field and submit a value to the server for validation (it happens automatically when the field is blurred). UI thread of the server can spend an indefinite amount of time (depending on the input) matching this email address to a validation pattern. By repeating this action the attacker may cause thread pool or resource exhaustion, thus making the application unresponsive for normal users.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
|Vaadin 14.0.6 - 14.4.3||Upgrade to 14.4.4 or newer 14 version|
|Vaadin 15 - 16||No longer supported. Upgrade to 17.0.11 or newer version|
|Vaadin 17.0.0 - 17.0.10||Upgrade to 17.0.11 or newer 17 version|
Please note that Vaadin versions 15-16 are no longer supported and you should update either to the latest 17 version.
|Maven coordinates||Vulnerable version||Fixed version|
|com.vaadin:vaadin-text-field-flow||2.0.4 - 2.3.2||≥ 2.3.3|
|com.vaadin:vaadin-text-field-flow||3.0.0 - 4.0.2||≥ 4.0.3|
2021-03-11: Initial vulnerability report published