Regular Expression Denial of Service (ReDoS)

Vulnerability

The url-regex Python package, in all versions, contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS) [1]. The vulnerable regex is used to match URLs and can be forced into catastrophic backtracking when processing a specially crafted input string [1]. The source code is available at https://github.com/AlexFlipnote/url_regex/blob/master/url_regex/url_regex.py [2].

Exploitation

An attacker does not require any special network position or authentication; the ReDoS can be triggered by providing a crafted URL string to any application that uses the url-regex package to validate or parse URLs [1]. The malicious string causes the regex engine to enter exponential backtracking, consuming excessive CPU resources [1].

Impact

Successful exploitation results in a denial of service: the CPU usage spikes dramatically, potentially causing the application or system to become unresponsive or crash [1]. The impact is limited to availability, with no data confidentiality or integrity compromise.

Mitigation

No fixed version has been released as of the publication date (2022-05-20) [1]. The vendor portal (Snyk) lists this vulnerability as unpatched. Users should consider replacing the url-regex package with an alternative URL validation library that is not vulnerable to ReDoS, such as the re module with a more carefully crafted regex or a dedicated URL parser like urllib [1][2].