A security vulnerability with the identifier CVE-2018-25079 was discovered in the Segmentio "is-url" package up to version 1.2.2. This vulnerability is categorized as problematic and primarily affects the file "index.js," which is responsible for some core functions of the library. Specifically, this issue arises due to the inefficient regular expression complexity in the code, which can be exploited by remote attackers.
Segmentio's "is-url" library is widely used to validate URL strings in various applications. By making use of the vulnerability, malicious attackers can launch remote attacks that could potentially lead to a denial of service or other unwanted behaviors.
To better understand the issue, let's take a look at the code snippet from the affected "index.js" file:
// file: index.js
import URLTester from 'url-tester';
const tester = URLTester.create([
'^(https?|ftp)://[^\\s/$.?#]*\\.[^\\s]*?$'
]);
export default function(url) {
return tester.test(url);
}
An inefficient regular expression can be seen in this code snippet: '^(https?|ftp)://[^\\s/$.?#]*\\.[^\\s]*?$'. This regex pattern used for URL validation may lead to high CPU usage when processing inputs containing multiple nested instances of the pattern, which in turn could cause a denial of service.
To address this issue, Segmentio released version 1.2.3 of the "is-url" library that includes a patch with the commit 149550935c63a98c11f27f694a7c4a9479e53794. It is highly recommended to upgrade the affected component to this new version.
The change made to the code can be viewed at the following link
GitHub commit for patch 149550935c63a98c11f27f694a7c4a9479e53794
For more information about the original reference on this vulnerability, please visit the following link:
VDB-220058 - Inefficient Regular Expression Complexity Vulnerability in Segmentio is-url up to 1.2.2
In conclusion, if you are using the Segmentio "is-url" library up to version 1.2.2 in your application, it is essential to upgrade to version 1.2.3 as soon as possible to mitigate this vulnerability. Doing so will help to secure your application and prevent potential attacks.
Timeline
Published on: 02/04/2023 04:15:00 UTC
Last modified on: 02/14/2023 01:47:00 UTC