CVE-2020-7661
Regular Expression Denial of Service vulnerability in url-regex
What is CVE-2020-7661 About?
This vulnerability affects all versions of the 'url-regex' package and is susceptible to Regular Expression Denial of Service (ReDoS). Attackers can trigger a denial of service by providing a very long string as input to the 'String.test' function. This is a relatively easy vulnerability to exploit given the nature of ReDoS attacks.
Affected Software
Technical Details
The 'url-regex' package uses regular expressions that are vulnerable to catastrophic backtracking when processing specific long input strings. When an attacker supplies a crafted, excessively long string to the 'String.test' method, the regex engine enters an inefficient computation path due to the structure of the regex, leading to exponential or super-linear time complexity. This excessive processing consumes all available CPU resources, causing the application to become unresponsive and effectively leading to a Denial of Service. The specific attack vector involves manipulating the input string to maximize the backtracking operations within the vulnerable regular expression.
What is the Impact of CVE-2020-7661?
Successful exploitation may allow attackers to degrade system performance or cause the application to become unresponsive, leading to denial of service for legitimate users.
What is the Exploitability of CVE-2020-7661?
Exploitation of this ReDoS vulnerability is generally straightforward, requiring the attacker to send a specially crafted, long input string to the application's 'String.test' function. There are no complex prerequisites beyond identifying the vulnerable input point. Authentication is typically not required as the input can often be supplied unauthenticated. Privilege requirements are also minimal, often requiring only standard user input. This is typically a remote exploit if the 'String.test' function processes user-supplied data accessible over a network. The primary risk factor increasing exploitation likelihood is the direct exposure of the vulnerable regex-processing function to untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| spamscanner | Link | Regular expression matching for URL's. Maintained, safe, and browser-friendly version of url-regex. Resolves CVE-2020-7661 for Node.js servers. |
What are the Available Fixes for CVE-2020-7661?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/kevva/url-regex/issues/70
- https://snyk.io/vuln/SNYK-JS-URLREGEX-569472
- https://github.com/kevva/url-regex/issues/70
- https://github.com/kevva/url-regex
- https://nvd.nist.gov/vuln/detail/CVE-2020-7661
- https://osv.dev/vulnerability/GHSA-v4rh-8p82-6h5w
- https://snyk.io/vuln/SNYK-JS-URLREGEX-569472
What are Similar Vulnerabilities to CVE-2020-7661?
Similar Vulnerabilities: CVE-2020-26308 , CVE-2020-28500 , CVE-2019-10756 , CVE-2018-16460 , CVE-2017-16016
