GHSA-crh4-294p-vcfq: 
Java vulnerability analysis and mitigation

A Regular expression Denial of Service (ReDoS) vulnerability was discovered in the EmailField component of Vaadin's flow-components. The vulnerability affects com.vaadin:vaadin-text-field-flow versions 2.0.4 through 2.3.2 (Vaadin 14.0.6 through 14.4.3), and 3.0.0 through 4.0.2 (Vaadin 15.0.0 through 17.0.10). The vulnerability was published on April 16, 2021, and is tracked as CVE-2021-31405 with a high severity CVSS score of 7.5 (GitHub Advisory, Vaadin Security).

The vulnerability stems from an unsafe validation RegEx in the EmailField component that is susceptible to exponential backtracking. The issue is classified as CWE-400: Uncontrolled Resource Consumption. The vulnerability has a CVSS v3.1 base score of 7.5 with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: None, Integrity: None, and Availability: High (Vaadin Security).

When exploited, this vulnerability can lead to uncontrolled resource consumption and denial of service. The UI thread of the server can spend an indefinite amount of time matching malicious email addresses to the validation pattern. Repeated attacks can cause thread pool or resource exhaustion, making the application unresponsive for normal users (Vaadin Security).

Users of affected versions should upgrade to patched versions: Vaadin 14.0.6 - 14.4.3 should upgrade to 14.4.4 or newer, Vaadin 17.0.0 - 17.0.10 should upgrade to 17.0.11 or newer. Users of Vaadin 15-16 should upgrade to version 17.0.11 or newer as these versions are no longer supported. The fixed versions for the affected packages are com.vaadin:vaadin-text-field-flow 2.3.3 and 4.0.3 (Vaadin Security).