Inefficient Regular Expression Complexity
CVE-2020-26302
Summary
The package is.js is a general-purpose check library. It contains one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). The "is.js" uses a regex copy-pasted from gist to validate URLs. Trying to validate a malicious string can cause the regex to loop "forever". This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is_js has no patch for this issue.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
References
Advisory Timeline
- Published