All vulnerability reports

Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8

High (Base score 7.5) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE entry:


Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 (Vaadin versions 8.0.0 through 8.12.4) allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses.

See CWE-400: Uncontrolled Resource Consumption


Regular expression used on server side to validate input of email fields ( is subjected to exponential backtracking, which may result in unbound resource consumption and Denial of Service. To perform such an attack it is enough to enter a malicious email address into any email field and submit a value to the server for validation. UI thread of the server can spend an indefinite amount of time (depending on the input) matching this email address to a validation pattern. By repeating this action the attacker may cause thread pool or resource exhaustion, thus making the application unresponsive for normal users.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 8.0.0 - 8.12.4 Upgrade to 8.13.0 or newer 8 version


Maven coordinates Vulnerable version Fixed version
com.vaadin:vaadin-compatibility-server 8.0.0 - 8.12.4 ≥ 8.13.0


This issue was discovered and responsibly reported by Stefan Penndorf.



  • 2021-04-30: Initial vulnerability report published