GHSA-8w7w-67mw-r5p7: 
JavaScript vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in generator-jhipster affecting versions >6.8.0 and <6.9.0. The vulnerability was discovered and disclosed on May 17, 2020, affecting applications using JWT or session-based authentication (not OIDC). The vulnerable expression was never officially released and only affected applications generated from the master branch between versions 6.8.0 and 6.9.0 (GitHub Advisory).

The vulnerability exists in the login check functionality where a malicious login string input could cause a denial of service due to catastrophic backtracking in the regular expression pattern matching. The issue specifically affects the LOGINREGEX pattern in Constants.java when it uses the vulnerable regex pattern ^[a-zA-Z0-9!#$&'*+=?^`{|}~.-]+@?[a-zA-Z0-9-]+(?:.[a-zA-Z0-9-]+)*$ (GitHub Advisory).

When exploited, this vulnerability can cause a denial of service condition in affected applications by making the parsing of login strings computationally expensive, potentially leading to system resource exhaustion (GitHub Advisory).

For applications created from the master branch, the LOGINREGEX in Constants.java needs to be modified. The vulnerable regex pattern should be replaced with ^(?>[a-zA-Z0-9!$&*+=?^`{|}~.-]+@[a-zA-Z0-9-]+(?:.[a-zA-Z0-9-]+))|(?>[.@A-Za-z0-9-]+)$. Applications using the pattern ^[.@A-Za-z0-9-]$ do not need modification unless support for the + sign in logins is required (GitHub Advisory).