Bug 2167268 (CVE-2018-25079) - CVE-2018-25079 is-url: inefficient regular expression complexity
Summary: CVE-2018-25079 is-url: inefficient regular expression complexity
Keywords:
Status: NEW
Alias: CVE-2018-25079
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2167269 2167289
Blocks: 2167257
TreeView+ depends on / blocked
 
Reported: 2023-02-06 05:29 UTC by Avinash Hanwate
Modified: 2023-07-07 08:34 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Avinash Hanwate 2023-02-06 05:29:07 UTC 
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3 is able to address this issue. The name of the patch is 149550935c63a98c11f27f694a7c4a9479e53794. It is recommended to upgrade the affected component. VDB-220058 is the identifier assigned to this vulnerability.

https://github.com/segmentio/is-url/commit/149550935c63a98c11f27f694a7c4a9479e53794
https://github.com/segmentio/is-url/releases/tag/v1.2.3
https://vuldb.com/?ctiid.220058
https://vuldb.com/?id.220058
https://github.com/segmentio/is-url/pull/18
Comment 1 Avinash Hanwate 2023-02-06 05:30:17 UTC 
Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2167269]
Comment 2 Avinash Hanwate 2023-02-06 06:27:24 UTC 
Created yarnpkg tracking bugs for this issue:

Affects: epel-8 [bug 2167289]
Note You need to log in before you can comment on or make changes to this bug.