is_js vulnerable to Regular Expression Denial of Service

Severity:: High

Description

is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.9.0

References

GHSA-pvrw-g6fx-mcx2
CVE-2020-26302
CWE-1333
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

ua-parser-js Regular Expression Denial of Service vulnerability - CVE-2020-7793
Showdown vulnerable to Regular Expression Denial of Service (ReDoS) in link/anchor parsing - CVE-2024-1899
angular vulnerable to regular expression denial of service (ReDoS) - CVE-2022-25844
steal vulnerable to Regular Expression Denial of Service via source and sourceWithComments - CVE-2022-37262

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; is_js

Anything's wrong? Let us know Last updated on July 06, 2023