CVE-2024-46242

CVE-2024-46242 is a Regular expression Denial of Service (ReDoS) vulnerability in the validate_email function within CTFd/utils/validators/__init__.py of CTFd version 3.7.3. The flaw enables attackers to trigger excessive resource consumption by supplying a crafted string as an email address during user registration. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1333 (Inefficient Regular Expression Complexity).

Unauthenticated attackers with network access can exploit this vulnerability remotely and with low complexity, requiring no user interaction. By submitting a maliciously crafted email string to the registration endpoint, they induce catastrophic backtracking in the regular expression, resulting in high CPU usage and potential denial of service that disrupts service availability.

Advisories and further details are available via references including the CTFd website at http://ctfd.com and a GitHub gist at https://gist.github.com/salvatore-abello/4f01f3fa54672febc0a492a11a26592c, which may outline patches or workarounds for mitigation.