High

`url-regex` CVE-2020-7661

Regular Expression Denial of Service in url-regex.

The problem

url-regex <= 5.0.0 (all published versions) is affected by CVE-2020-7661 (CWE-1333 Inefficient Regular Expression Complexity (ReDoS)). The published package has no fix available — exactly what npm audit reports. url-regex builds a regular expression for matching/validating URLs. Its host and domain sub-patterns contained nested quantifiers that backtrack catastrophically: a string like `http://` followed by a long run of host characters and one non-matching byte takes time quadratic-or-worse in the input length, so untrusted input can hang the event loop (a ~20 KB string already takes ~600 ms; larger inputs take many seconds).

The fix — drop-in, no code changes

Add an overrides entry so every direct and transitive dependency on url-regex resolves to the patched fork, then reinstall:

{
  "overrides": {
    "url-regex": "npm:@keep-lts/url-regex@^5.0.1"
  }
}

Equivalent for Yarn: use resolutions. The public API is unchanged — nothing else to do.

✓ Live on npm: @keep-lts/url-regex · or install directly: npm i @keep-lts/url-regex

What we changed

The host and domain sub-patterns are rewritten from `(?:[a-z0-9][-_]*)*[a-z0-9]+` to `[a-z0-9]+(?:[-_]+[a-z0-9]+)*` (and the `-`-only domain variant similarly). The two forms accept exactly the same hostnames — verified identical across a corpus of 27 URLs in all four strict/exact option combinations — but the rewrite removes the ambiguous overlap that caused backtracking, so matching is linear. Unlike `url-regex-safe`, which only avoids the ReDoS when the optional native `re2` module is installed (and silently falls back to the vulnerable engine otherwise), this fix is pure JavaScript and always safe.

Proof of concept (the vulnerability)

const urlRegex = require('url-regex');
const re = urlRegex({ exact: true });
re.test('http://' + 'a'.repeat(200000) + '!'); // hangs for many seconds on 5.0.0

Patched version@keep-lts/url-regex@5.0.1

Weekly downloads (affected pkg)415,842

Regression tests5 passing

LicenseMIT

How we keep it trustworthy

Minimal, surgical patch — security only, no feature changes.
A regression test that fails on the original and passes on the patch; legitimate behaviour preserved.
Published under the @keep-lts org with the full advisory and tests inside the package; upstream license & attribution retained.

Full advisory and changelog ship inside the package (SECURITY.md, CHANGELOG.md).

← All maintained packages