ReDoS in is-it-check in evdama/is-it-check


Reported on

Mar 19th 2022

✍️ Description

It allows causing a denial of service when checking crafted invalid emails.

🕵️‍♂️ Proof of Concept

// PoC.js
var isItCheck = require("is-it-check")'_@A.'+ '0.0.'.repeat(40)+'~A')

We are processing your report and will contact the evdama/is-it-check team within 24 hours. 2 months ago
We have contacted a member of the evdama/is-it-check team and are waiting to hear back 2 months ago
2 months ago


Same as for the is.url() check... Two possible solutions, a) add a str.length() check or b) modify existing regex with a length check. Would you mind sending a PR to ?

2 months ago


I opted for b

Markus validated this vulnerability 2 months ago
Yeting Li has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus confirmed that a fix has been merged on 74b014 2 months ago
Markus has been awarded the fix bounty
to join this conversation