CVE Vulnerability

CVE-2020-26302

is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://securitylab.github.com/advisories/GHSL-2020-295-redos-is.js Exploit Third Party Advisory
https://github.com/arasatasaygin/is.js/issues/320 Issue Tracking Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:is.js_project:is.js:*:*:*:*:*:*:*:*
Information

Published : 2022-12-22 09:15

Updated : 2022-12-30 09:20

NVD link : CVE-2020-26302

Mitre link : CVE-2020-26302

Products Affected
No products.
CWE
CWE-1333

Inefficient Regular Expression Complexity