`npm-user-validate` before version `1.0.1` is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with `@` characters.

1.  

   1.  

      1. Impact
         The issue affects the `email` function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.

1.  

   1.  

      1. Patches
         The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.

1.  

   1.  

      1. Workarounds
         Restrict the character length to a reasonable degree before passing a value to `.emal()`; Also, consider doing a more rigorous sanitizing/validation beforehand.

Repository: OpenNMS/opennms-compass (https://github.com/OpenNMS/opennms-compass)
Dependabot: https://github.com/OpenNMS/opennms-compass/security/dependabot/32
CVE:
CVSS:
GHSA: GHSA-xgh6-85xh-479p
Severity: low
Ecosystem: npm
Package Name: npm-user-validate
Vulnerable Version Range: <= 1.0.0
First Patched Version: 1.0.1