### Impact
For applications using JWT or session-based authentication (not OIDC), users can input a login string which can cause a denial of service, as parsing it will be too complex.

Here is an example: https://gist.github.com/atomfrede/311f8a9c6eb74c5c5226af0481155207

The vulnerable expression was never officially released. So only when you generated an application from the master branch between 6.8.0 and 6.9.0 your generated application may be vulnerable.

### Patches

If you only used official releases you don’t need to patch your application.

### Workarounds

If you have created an application from the master branch, you need to adapt the `LOGIN_REGEX` in `Constants.java`. If your regex is
“`
^[a-zA-Z0-9!#$&’*+=?^_`{|}~.-]+@?[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$
“`
you need to change it too
“`
^(?>[a-zA-Z0-9!$&*+=?^_`{|}~.-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*)|(?>[_.@A-Za-z0-9-]+)$
“`

If you still have `^[_.@A-Za-z0-9-]*$` there is no need to change it, except you would like to support login with `+` sign (e.g. `[email protected]`).

### References

* https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
* https://snyk.io/blog/redos-and-catastrophic-backtracking/Read More