ReDoS in is-it-check in evdama/is-it-check


Reported on

Mar 19th 2022

✍️ Description

It allows causing a denial of service when checking crafted invalid URLs.

🕵️‍♂️ Proof of Concept

// PoC.js
var isItCheck = require("is-it-check")
We are processing your report and will contact the evdama/is-it-check team within 24 hours. 2 years ago
We have contacted a member of the evdama/is-it-check team and are waiting to hear back 2 years ago
2 years ago


Two possible solutions, a) add a str.length() check or b) modify existing regex with a length check. Would you mind sending a PR to ?

Markus validated this vulnerability 2 years ago
yetingli has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus marked this as fixed in 1.0.0 with commit d60d34 2 years ago
Markus has been awarded the fix bounty
to join this conversation