GMS-2016-14: Regular Expression Denial Of Service

March 15, 2016

uri-js is a module that tries to fully implement RFC One of these features is validating whether a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at % usage while uri-js is trying to validate if the supplied URL is valid or not.

References

github.com/garycourt/uri-js/issues/12
www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

Detect and mitigate GMS-2016-14 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →