CVE CyberSecurity Database News

CVE-2018-25079 - Exploiting Regular Expression Complexity in Segmentio is-url Library (up to 1.2.2)

Poster -

Summary:  
A vulnerability, identified as CVE-2018-25079 (also tracked as VDB-220058), was discovered in Segmentio’s is-url npm library, affecting all versions up to 1.2.2. The flaw arises from an inefficient regular expression in index.js that could lead to a denial of service (DoS) by creating computational backtracking when parsing maliciously crafted URLs. The issue is fixed in version 1.2.3 with patch 149550935c63a98c11f27f694a7c4a9479e53794.

1. What is Segmentio is-url?

is-url is a popular Node.js library often used to validate whether a string looks like a URL. Many projects use it as a basic utility for data validation.

2. About the Vulnerability

The vulnerability is caused by an inefficient regular expression used in the validation logic. This inefficiency can allow an attacker to craft input that leads to heavy computation, causing Node.js processes (or any service using the library) to hang or become very slow. This is a kind of regular expression denial of service (ReDoS) issue.

Origin

The dangerous code is located in index.js, where the regular expression is compiled and used.

Here’s the relevant section from index.js (up to version 1.2.2)

var protocolAndSlashes = /^[a-z][a-z-9+\-.]*:\/\//i;

/**
 * Checks if the string looks like a URL.
 */
module.exports = function (str) {
  return typeof str == 'string' && protocolAndSlashes.test(str);
};

The problem lies in the regular expression: ^[a-z][a-z-9+\-.]*:\/\//i
This pattern can be abused, as it may cause the engine to backtrack excessively with certain crafted input strings.

4. How Could an Attacker Exploit This?

By sending long, carefully crafted invalid input (notably in bulk or automated scans), an attacker can force the regular expression engine into heavy backtracking, causing high CPU consumption or a service hang.

Example Exploit Input

// This string is intentionally long and triggers ReDoS
const maliciousStr = 'a'.repeat(1e6) + ':////';
// Running this will hang/freeze or exhaust resources
isUrl(maliciousStr);

Or via a JSON payload if this is consumed via a REST API

{
  "website": "a...a:////" // (long sequence)
}

If your backend uses is-url to validate URL inputs, it can be severely impacted.

5. Remote Attack Surface

This can be launched remotely—for example, by submitting a long, malicious “URL” string via a web form, an API endpoint, or any service that connects to a Node.js API using this library.

6. Fix: How Was It Patched?

The patch, implemented in commit 149550935c63a98c11f27f694a7c4a9479e53794, tightens the regular expression to eliminate the inefficient pattern. After patching, the function is less vulnerable to this kind of input.

Patched code (from 1.2.3)

// Matching protocol and making sure it's followed by at least one non-slash character
var protocolAndHost = /^[a-z][a-z-9+\-.]*:\/\/[^/]+/i;

module.exports = function (str) {
  return typeof str == 'string' && protocolAndHost.test(str);
};


This new regex avoids pathological backtracking by ensuring a non-slash character after the protocol.

Audit your codebase and dependencies for embedded copies of this regex.

- Consider using more robust libraries with active maintenance, such as validator.js.

8. Further References

- CVE-2018-25079 at NVD
- VDB-220058 at VulDB
- Is-url Commit Fix
- Segmentio is-url Releases

9. Conclusion

CVE-2018-25079 is a classic example of how small utilities can become a serious risk due to inefficient regular expressions. If you use is-url below v1.2.3, you are vulnerable to remote DoS attacks. Patch your dependencies, monitor your software supply chain, and stay alert for similar ReDoS vulnerabilities in other modules.

If you found this useful, consider sharing with your team or friends who manage JavaScript/Node.js applications!

Timeline

Published on: 02/04/2023 04:15:00 UTC
Last modified on: 02/14/2023 01:47:00 UTC