Severity: high

Regular Expression Denial of Service



All versions of url-regex are vulnerable to a Regular Expression Denial of Service. An attacker providing a very long string in String.test can cause a Denial of Service.


There are no patches and the software is not currently maintained. The security researcher who found the issue has released url-regex-safe as an alternative.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Aug 17th, 2020
  2. reported

    Reported by niftylettuce
    Aug 17th, 2020