0.9.1
CVE-2020-26302 describes a Denial of Service (DoS) vulnerability found in is.js, a general-purpose check library. This vulnerability stems from inefficient regular expressions used to validate URLs, which can be exploited by malicious strings to trigger Regular Expression Denial of Service (ReDoS) attacks. Versions 0.9.0 and earlier are affected, and a patch is available in version 0.9.1.
An attacker can exploit this vulnerability by crafting a malicious URL string and submitting it for validation by is.js. The vulnerable regular expression will then enter an infinite loop, consuming excessive CPU resources and potentially crashing the application or server. The impact is a denial of service, preventing legitimate users from accessing the application. The blast radius depends on the application's usage of is.js and the resources available on the affected server. This vulnerability highlights the importance of carefully reviewing and optimizing regular expressions to prevent ReDoS attacks, a known class of security vulnerability.
This vulnerability was discovered using a CodeQL query designed to identify inefficient regular expressions. While no active exploitation campaigns have been publicly reported, ReDoS vulnerabilities are often targeted by automated scanners. The CVE was published on December 23, 2022. The EPSS score is likely low to medium, given the lack of public exploits and the relatively specific nature of the vulnerability. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.27% (51% percentile)
CVSS Vector
The primary mitigation for CVE-2020-26302 is to upgrade to version 0.9.1 or later, which includes a fix for the vulnerable regular expression. If upgrading is not immediately feasible, implement input sanitization to prevent malicious URL strings from reaching the vulnerable code. This can involve whitelisting allowed characters or using more efficient regular expressions for URL validation. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests. After upgrading, confirm the fix by attempting to validate a known malicious URL string and verifying that it no longer triggers a ReDoS attack.
This package contains a ReDoS vulnerability. No patched version exists. It is recommended to evaluate alternatives to the is.js library or implement additional validations for URLs before using the vulnerable function.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-26302 is a Denial of Service vulnerability in is.js versions 0.9.0 and earlier, where malicious URLs can trigger a ReDoS attack, causing excessive CPU usage.
You are affected if you are using is.js version 0.9.0 or earlier. Upgrade to 0.9.1 or later to mitigate the risk.
Upgrade to version 0.9.1 or later. If upgrading is not possible, implement input sanitization to validate URLs before processing.
No active exploitation campaigns have been publicly reported, but ReDoS vulnerabilities are often targeted by automated scanners.
Refer to the CVE entry on the NVD website: https://nvd.nist.gov/vuln/detail/CVE-2020-26302
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.