GHSA-jfmf-w293-8xr8: 
Java vulnerability analysis and mitigation

A Regular expression Denial of Service (ReDoS) vulnerability was discovered in the EmailValidator class within the V7 compatibility module of Vaadin 8 (CVE-2021-31409). The vulnerability affects com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4. The issue was discovered by Stefan Penndorf and was published on April 30, 2021. The vulnerability received a High severity rating with a CVSS score of 7.5 (Vaadin Security, GitHub Advisory).

The vulnerability stems from an unsafe validation RegEx pattern in the EmailValidator component (com.vaadin.v7.data.validator.EmailValidator) that is susceptible to exponential backtracking. The vulnerability has been assigned CVSS v3.1 base metrics indicating Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, and High availability impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue is classified under CWE-400: Uncontrolled Resource Consumption (Vaadin Security).

When exploited, this vulnerability can lead to uncontrolled resource consumption on the server side. The UI thread of the server can spend an indefinite amount of time matching malicious email addresses to the validation pattern. Repeated attacks can cause thread pool or resource exhaustion, ultimately making the application unresponsive to normal users (Vaadin Security).

The vulnerability has been patched in Vaadin version 8.13.0. Users of affected versions (8.0.0 - 8.12.4) are strongly advised to upgrade to version 8.13.0 or newer 8 versions (Vaadin Security).