Segmentio is-url index.js redos
Description
A Regular Expression Denial of Service (ReDoS) vulnerability in Segmentio is-url up to v1.2.2 allows remote attackers to cause denial of service via crafted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A Regular Expression Denial of Service (ReDoS) vulnerability in Segmentio is-url up to v1.2.2 allows remote attackers to cause denial of service via crafted input.
Vulnerability
Analysis
The vulnerability identified as CVE-2018-25079 affects the segmentio/is-url npm package up to version 1.2.2. The issue resides in the regular expression used within the index.js file to validate URLs. An attacker can exploit an inefficient regular expression that is susceptible to catastrophic backtracking, leading to a Regular Expression Denial of Service (ReDoS) attack [1][2].
Exploitation
The attack can be launched remotely by supplying a specially crafted string to any application that uses the vulnerable is-url function. The developer's fix and test demonstrate that an input such as 'a://localhost' followed by many repeated characters (e.g., 100,000 '9's) can cause the regex to enter a pattern that requires excessive computation time, effectively hanging the Node.js server [2][4]. No authentication is required, as the attack is against the library's validation logic exposed to network requests.
Impact
Successful exploitation results in denial of service. An attacker can consume significant server CPU resources, potentially leading to application unresponsiveness or full server crash, depending on the deployment. The vulnerability is rated as problematic with a potential for high availability impact [1].
Mitigation
The vulnerability was patched in version 1.2.3, released in March 2018, which splits the vulnerable single regex into three safer regexes and adds specific test cases to prevent regression [2][3]. Users of the package are strongly recommended to upgrade to version 1.2.3 or later [1]. The patch commit is 149550935c63a98c11f27f694a7c4a9479e53794 [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
is-urlnpm | < 1.2.3 | 1.2.3 |
Affected products
2Patches
1149550935c63security: Fix REDOS vulnerability
2 files changed · +34 −3
index.js+23 −3 modified@@ -6,10 +6,15 @@ module.exports = isUrl; /** - * Matcher. + * RegExps. + * A URL must match #1 and then at least one of #2/#3. + * Use two levels of REs to avoid REDOS. */ -var matcher = /^(?:\w+:)?\/\/([^\s\.]+\.\S{2}|localhost[\:?\d]*)\S*$/; +var protocolAndDomainRE = /^(?:\w+:)?\/\/(\S+)$/; + +var localhostDomainRE = /^localhost[\:?\d]*(?:[^\:?\d]\S*)?$/ +var nonLocalhostDomainRE = /^[^\s\.]+\.\S{2,}$/; /** * Loosely validate a URL `string`. @@ -19,5 +24,20 @@ var matcher = /^(?:\w+:)?\/\/([^\s\.]+\.\S{2}|localhost[\:?\d]*)\S*$/; */ function isUrl(string){ - return matcher.test(string); + var match = string.match(protocolAndDomainRE); + if (!match) { + return false; + } + + var everythingAfterProtocol = match[1]; + if (!everythingAfterProtocol) { + return false; + } + + if (localhostDomainRE.test(everythingAfterProtocol) || + nonLocalhostDomainRE.test(everythingAfterProtocol)) { + return true; + } + + return false; }
test/index.js+11 −0 modified@@ -119,4 +119,15 @@ describe('is-url', function () { assert(!url('google.com')); }); }); + + describe('redos', function () { + it('redos exploit', function () { + // Invalid. This should be discovered in under 1 second. + var attackString = 'a://localhost' + '9'.repeat(100000) + '\t'; + var before = process.hrtime(); + assert(!url(attackString), 'attackString was valid'); + var elapsed = process.hrtime(before); + assert(elapsed[0] < 1, 'attackString took ' + elapsed[0] + ' > 1 seconds'); + }); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/segmentio/is-url/commit/149550935c63a98c11f27f694a7c4a9479e53794ghsapatchWEB
- github.com/segmentio/is-url/releases/tag/v1.2.3ghsapatchWEB
- github.com/advisories/GHSA-p9w8-2mpq-49h9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-25079ghsaADVISORY
- github.com/segmentio/is-url/pull/18ghsaissue-trackingWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entryWEB
News mentions
0No linked articles in our index yet.