Miggo Logo
Miggo Vulnerability Database
CVE-2020-1920

CVE-2020-1920: Regular expression denial of service in react-native

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-1920
GHSA ID
GHSA-7f53-fmmv-mfjv
EPSS Score
0.62511%
CWE
CWE-400
Published
7/20/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
react-nativenpm>= 0.59.0, < 0.62.30.62.3
react-nativenpm>= 0.63.0, < 0.64.10.64.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The commit diff shows direct modification of the validateBaseUrl regex pattern in URL.js
  2. Security advisories explicitly reference validateBaseUrl as the vulnerable function
  3. The CWE-400 (Uncontrolled Resource Consumption) maps directly to ReDoS impacts
  4. Multiple independent sources (GitHub Advisory, NVD, and Facebook's patch notes) converge on this function
  5. The regex pattern shown in pre-patch code matches known ReDoS vulnerability patterns with nested quantifiers and ambiguous alternations

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**ul*r *xpr*ssion **ni*l o* s*rvi** (R**oS) vuln*r**ility in t** v*li**t***s*Url *un*tion **n **us* t** *ppli**tion to us* *x**ssiv* r*sour**s, ***om* unr*sponsiv*, or *r*s*. T*is w*s intro*u*** in r***t-n*tiv* v*rsion *.**.* *n* *ix** in v*rsion

Reasoning

*. T** *ommit *i** s*ows *ir**t mo*i*i**tion o* t** v*li**t***s*Url r***x p*tt*rn in URL.js *. S**urity **visori*s *xpli*itly r***r*n** v*li**t***s*Url *s t** vuln*r**l* *un*tion *. T** *W*-*** (Un*ontroll** R*sour** *onsumption) m*ps *ir**tly to R**