CVE-2020-26302
Regular Expression Denial of Service (ReDoS) vulnerability in is_js (npm)
What is CVE-2020-26302 About?
This Regular Expression Denial of Service (ReDoS) vulnerability in `is.js` versions 0.9.0 and prior allows an attacker to cause the regex to loop indefinitely. The flaw is due to an inefficient regular expression used for URL validation. Exploiting this is relatively easy, requiring only a malicious string input.
Affected Software
Technical Details
The is.js library, specifically versions 0.9.0 and prior, contains one or more regular expressions vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability arises from a regex pattern, reportedly copy-pasted from a gist, used for URL validation. The structure of this regex is inefficient, meaning that when it attempts to process a specially crafted, malicious input string, it can enter a state of catastrophic backtracking. This causes the regex engine to backtrack an excessive number of times, consuming significant CPU resources and making the process appear to loop indefinitely. As a result, any application using the vulnerable is.js version to validate user-supplied URLs will become unresponsive, leading to a Denial of Service.
What is the Impact of CVE-2020-26302?
Successful exploitation may allow attackers to consume excessive CPU resources, causing the application to become unresponsive and crash, leading to a Denial of Service (DoS).
What is the Exploitability of CVE-2020-26302?
Exploiting this ReDoS vulnerability is of low complexity. An attacker needs to provide a specifically crafted malicious string as input to a function that uses the vulnerable URL validation regex in is.js. No authentication or specific privileges are required, making it a remote attack if the vulnerable function processes external input, such as user-submitted data to a web application. The primary prerequisite is that the application uses a vulnerable version is.js and validates user-controlled input with the problematic regex. The risk is elevated in publicly accessible applications that process arbitrary string inputs, as a single malicious request can significantly degrade or halt service availability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-26302?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-pvrw-g6fx-mcx2
- https://securitylab.github.com/advisories/GHSL-2020-295-redos-is.js
- https://github.com/arasatasaygin/is.js/issues/320
- https://nvd.nist.gov/vuln/detail/CVE-2020-26302
- https://github.com/arasatasaygin/is.js/issues/320
- https://securitylab.github.com/advisories/GHSL-2020-295-redos-is.js
- https://github.com/arasatasaygin/is.js
What are Similar Vulnerabilities to CVE-2020-26302?
Similar Vulnerabilities: GHSA-9vrw-m88g-w75q , GHSA-23vw-mhv5-grv5 , CVE-2022-24839 , CVE-2021-27402
