AIKIDO-2025-10660

TL;DR

Affected versions of this package are vulnerable to a polynomial regular expression denial of service (ReDoS) vulnerability in the email parsing regex /^(.*?)(?:s*<([^>]+)>)?$/. This regex, designed to extract email addresses from strings, uses non-greedy quantifiers and optional groups that can cause inefficient backtracking when processing certain inputs. An attacker can exploit this by crafting a long input string without the email part, such as a sequence of repeated characters, which triggers polynomial-time backtracking in the regex engine, leading to high CPU consumption and potential denial of service.