CVE-2020-26304: 
JavaScript vulnerability analysis and mitigation

Foundation, a front-end framework, was found to contain a vulnerability in versions 6.3.3 and prior where one or more regular expressions were susceptible to Regular Expression Denial of Service (ReDoS). The vulnerability was discovered by GitHub Security Lab team member Erik Krogh Kristensen and was assigned CVE-2020-26304 (GitHub Advisory, NVD).

The vulnerability involves poorly constructed regular expressions that can exhibit exponential backtracking behavior (O(2^n) runtime performance). Three URL regular expressions were identified as vulnerable through CodeQL analysis. The issue received a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high-severity vulnerability with network accessibility and no required privileges or user interaction (NVD).

While Foundation is primarily a frontend framework, the vulnerability could lead to denial of service attacks. If a server pre-fills inputs and an attacker controls those inputs, they could potentially crash victims' browsers. The vulnerability primarily affects the URL validation functionality in the framework (GitHub Advisory).

As of the initial disclosure, no fixes were available for this vulnerability. Recent reports from December 2024 indicate that the vulnerability remains unaddressed, with the problematic regex code last modified in 2018 (GitHub Issue).

The vulnerability has been acknowledged by the Foundation team, though initial responses suggesting it might have been fixed among other vulnerability updates in 2021 proved incorrect. The issue continues to be reported by various security tools including AWS Inspector as of January 2025 (GitHub Issue).