Skip to main content

Inefficient Regular Expression Complexity

CVE-2020-26302

Severity High
Score 7.5/10

Summary

The package is.js is a general-purpose check library. It contains one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). The "is.js" uses a regex copy-pasted from gist to validate URLs. Trying to validate a malicious string can cause the regex to loop "forever". This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is_js has no patch for this issue.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Advisory Timeline

  • Published