VYPR
← All advisories
High severityNVD Advisory· Published Dec 23, 2022· Updated Apr 14, 2025

CVE-2020-26302

CVE-2020-26302

Description

is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

is.js prior to 0.9.0 has a ReDoS vulnerability in its URL validation regex, causing denial of service when processing crafted input.

Vulnerability

Description

is.js, a general-purpose check library, includes a regular expression to validate URLs that was copied from a gist. This regex is vulnerable to Regular Expression Denial of Service (ReDoS) due to exponential backtracking on crafted input. Versions 0.9.0 and prior are affected [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a maliciously crafted URL string to any application using is.js for input validation. When the regex processes this string, it may enter a state of near-infinite backtracking, consuming excessive CPU resources. No authentication or special network position is required if the application exposes the validation to untrusted input [2].

Impact

Successful exploitation leads to a denial of service condition, exhausting server resources and potentially causing the application to become unresponsive. This can be used to disrupt services that rely on is.js for URL checking [1][2].

Mitigation

As of the disclosure timeline, the project maintainer did not respond, and no patch has been released. Users are advised to replace the vulnerable regex with a safer alternative or avoid using is.js for URL validation in security-critical contexts [2][4].

References
  1. NVD - CVE-2020-26302
  2. GHSL-2020-295: ReDoS (Regular Expression Denial of service) in is.js - CVE-2020-26302
  3. Security Issue: Request for contact

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
is_jsnpm
<= 0.9.0

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.