CVE-2020-7661

HIGH

url-regex - Regular Expression Denial of Service via String.test

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7661. PoCs published by spamscanner.

AI-analyzed exploit summary This repository provides a maintained and safe version of the `url-regex` package, resolving CVE-2020-7661 (a ReDoS vulnerability) by integrating RE2 for Node.js usage. It includes detailed documentation, usage examples, and configuration options for both Node.js and browser environments.

Description

all versions of url-regex are vulnerable to Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.

Exploits (1)

nomisec WRITEUP 82 stars

by spamscanner · poc

https://github.com/spamscanner/url-regex-safe

View Code ZIP pw:eip

This repository provides a maintained and safe version of the `url-regex` package, resolving CVE-2020-7661 (a ReDoS vulnerability) by integrating RE2 for Node.js usage. It includes detailed documentation, usage examples, and configuration options for both Node.js and browser environments.

Classification

Writeup 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: url-regex (Node.js and browser environments)

No auth needed

Prerequisites: Node.js or browser environment · Dependency on vulnerable `url-regex` package

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/kevva/url-regex/issues/70

Exploit, Third Party Advisory x_refsource_misc

https://snyk.io/vuln/SNYK-JS-URLREGEX-569472

Scores

CVSS v3 7.5

EPSS 0.0060

EPSS Percentile 70.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-400

Status published

Products (2)

npm/url-regex 0npm

url-regex_project/url-regex

Published Jun 04, 2020

Tracked Since Feb 18, 2026