is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.
References
| Link | Resource |
|---|---|
| https://github.com/arasatasaygin/is.js/issues/320 | Issue Tracking Third Party Advisory |
| https://securitylab.github.com/advisories/GHSL-2020-295-redos-is.js | Exploit Third Party Advisory |
| https://github.com/arasatasaygin/is.js/issues/320 | Issue Tracking Third Party Advisory |
| https://securitylab.github.com/advisories/GHSL-2020-295-redos-is.js | Exploit Third Party Advisory |
Configurations
History
21 Nov 2024, 05:19
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/arasatasaygin/is.js/issues/320 - Issue Tracking, Third Party Advisory | |
| References | () https://securitylab.github.com/advisories/GHSL-2020-295-redos-is.js - Exploit, Third Party Advisory |
07 Nov 2023, 03:20
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue. |
Information
Published : 2022-12-22 21:15
Updated : 2024-11-21 05:19
NVD link : CVE-2020-26302
Mitre link : CVE-2020-26302
CVE.ORG link : CVE-2020-26302
JSON object : View
Products Affected
is.js_project
- is.js