Moderate severityNVD Advisory· Published Sep 2, 2024· Updated Sep 3, 2024

nescalante urlregex Backtracking index.js redos

CVE-2020-36830

Description

A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.5.1 is able to address this issue. The identifier of the patch is e5a085afe6abfaea1d1a78f54c45af9ef43ca1f9. It is recommended to upgrade the affected component.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
urlregexnpm	< 0.5.1	0.5.1

Affected products

Nescalante/Urlregexv5
Range: 0.1

Patches

e5a085afe6ab

Security Fix for Regular Expression Denial of Service (ReDoS) - huntr.dev (#8)

https://github.com/nescalante/urlregexhuntr-helperSep 16, 2020via ghsa

commit

3 files changed · +12 −4

index.js+3 −1 modified

@@ -1,4 +1,6 @@
 'use strict';
+const RE2 = require("re2");
+
 
 module.exports = function (opts) {
   var exact = (opts && opts.exact !== undefined) ? opts.exact : true;
@@ -14,5 +16,5 @@ module.exports = function (opts) {
   var path = '(?:[/?#][^\\s"]*)?';
   var regex = '(?:' + protocol + '|www\\.)' + auth + '(?:localhost|' + ip + '|' + host + domain + tld + ')' + port + path;
 
-  return exact ? new RegExp('(?:^' + regex + '$)', 'i') : new RegExp(regex, 'ig');
+  return exact ? new RE2('(?:^' + regex + '$)', 'i') : new RE2(regex, 'ig');
 };

test/notmatch.js+4 −2 modified

@@ -34,12 +34,14 @@ const fixtures = [
   'http://foo.bar/ /',
   'http://google\\.com',
   'http://www(google.com',
-  'http://www.example.xn--overly-long-punycode-test-string-test-tests-123-test-test123/',
   'http://www=google.com',
   'https://www.g.com/error\n/bleh/bleh',
   'rdar://1234',
   '/foo.bar/',
-  '///www.foo.bar./'
+  '///www.foo.bar./',
+  'http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321http://huntr.devtestvulnerability2312321.testvulnerability23',
+  'http://asdf:asdf@huntr.devtestvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321.testvulnerability2312321',
+  'http://www.example.xn--overly-long-punycode-test-string-test-tests-123-test-test123/'
 ];
 
 for (const x of fixtures) {

test/urlmatch.js+5 −1 modified

@@ -11,7 +11,6 @@ const exactFixtures = [
   'http://a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com',
   'http://mw1.google.com/mw-earth-vectordb/kml-samples/gp/seattle/gigapxl/$[level]/r$[y]_c$[x].jpg',
   'http://user:pass@example.com:123/one/two.three?q1=a1&q2=a2#body',
-  'http://www.microsoft.xn--comindex-g03d.html.irongeek.com',
   'http://✪df.ws/123',
   'http://localhost/',
   'http://userid:password@example.com:8080',
@@ -60,6 +59,11 @@ const exactFixtures = [
   'http://➡.ws/䨹',
   'www.google.com/unicorn',
   'http://example.com.',
+  'http://www.microsoft.xn--comindex-g03d.html.irongeek.com',
+  'www.microsoft.xn--comindex-g03d.html.irongeek.com',
+  'http://xn--addas-o4a.de/',
+  'xn--aerlngus-j80d.com',
+  'xn--sngaporeair-zzb.com'
 ];
 
 const notExactFixtures = [

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/nescalante/urlregex/commit/e5a085afe6abfaea1d1a78f54c45af9ef43ca1f9ghsapatchWEB
github.com/nescalante/urlregex/releases/tag/v0.5.1ghsapatchWEB
github.com/nescalante/urlregex/pull/8ghsaexploitissue-trackingWEB
github.com/advisories/GHSA-rw72-v6c7-hf9rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-36830ghsaADVISORY
vuldb.comghsasignaturepermissions-requiredWEB
vuldb.comghsavdb-entryWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000