4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36830

GHSA ID

GHSA-rw72-v6c7-hf9r

EPSS Score

0.23827%

CWE

CWE-1333

Published

9/2/2024

Updated

9/3/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-36830

CVE-2020-36830: ReDoS in urlregex

A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.5.1 is able to address this issue. The identifier of the patch is e5a085afe6abfaea1d1a78f54c45af9ef43ca1f9. It is recommended to upgrade the affected component.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-36830

GHSA ID

GHSA-rw72-v6c7-hf9r

EPSS Score

0.23827%

CWE

CWE-1333

Published

9/2/2024

Updated

9/3/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
urlregex	npm	< 0.5.1	0.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the regex construction in index.js's exported function. The commit diff shows replacement of native RegExp with RE2 (a backtracking-resistant engine), confirming the original regex was vulnerable. The function builds patterns with nested quantifiers and alternations (visible in variables like protocol/auth/host) that could cause exponential backtracking. Attack vectors in test fixtures demonstrate exploitation via overly long auth components and domains. The patch's core mitigation was switching regex engines rather than pattern adjustments, indicating the regex-building function itself was the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in n*s**l*nt* urlr***x up to *.*.* *n* *l*ssi*i** *s pro*l*m*ti*. T*is issu* *****ts som* unknown pro**ssin* o* t** *il* in**x.js o* t** *ompon*nt ***ktr**kin*. T** m*nipul*tion l***s to in***i*i*nt r**ul*r *xpr*ssion *ompl*

Reasoning

T** vuln*r**ility st*ms *rom t** r***x *onstru*tion in `in**x.js`'s *xport** `*un*tion`. T** *ommit *i** s*ows r*pl***m*nt o* n*tiv* `R***xp` wit* `R**` (* ***ktr**kin*-r*sist*nt *n*in*), *on*irmin* t** ori*in*l r***x w*s vuln*r**l*. T** `*un*tion` *

4.3

Basic Information

Concerned about an active attack path?

CVE-2020-36830: ReDoS in urlregex

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI