CVE-2024-46242
Published: 07 January 2025
Summary
CVE-2024-46242 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ctfd (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-46242 is a Regular expression Denial of Service (ReDoS) vulnerability in the validate_email function within CTFd/utils/validators/__init__.py of CTFd version 3.7.3. The flaw enables attackers to trigger excessive resource consumption by supplying a crafted string as an email address during user registration. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1333 (Inefficient Regular Expression Complexity).
Unauthenticated attackers with network access can exploit this vulnerability remotely and with low complexity, requiring no user interaction. By submitting a maliciously crafted email string to the registration endpoint, they induce catastrophic backtracking in the regular expression, resulting in high CPU usage and potential denial of service that disrupts service availability.
Advisories and further details are available via references including the CTFd website at http://ctfd.com and a GitHub gist at https://gist.github.com/salvatore-abello/4f01f3fa54672febc0a492a11a26592c, which may outline patches or workarounds for mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42190
Vulnerability details
An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS in public-facing email validator directly enables application exploitation for endpoint DoS via crafted input causing CPU exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validating information inputs like email addresses at entry points, directly preventing ReDoS exploitation via crafted strings in the validate_email function.
SC-5 implements denial-of-service protections that limit effects of resource exhaustion attacks like ReDoS-induced high CPU usage during registration.
SI-2 mandates timely flaw remediation, directly addressing the inefficient regex vulnerability in CTFd's validate_email function to prevent DoS.