diff --git a/__tests__/resolvers/exotics/hosted-git-resolver.js b/__tests__/resolvers/exotics/hosted-git-resolver.js
index 403e14374a..260b26ebf2 100644
--- a/__tests__/resolvers/exotics/hosted-git-resolver.js
+++ b/__tests__/resolvers/exotics/hosted-git-resolver.js
@@ -28,3 +28,13 @@ const reporter = new reporters.NoopReporter({});
     expect(explodeHostedGitFragment(fragment, reporter).hash).toEqual(hash);
   });
 });
+describe('explodeHostedGitFragment DOS vulnerability test', () => {
+  const MAX_MS = 200;
+  test('long fragment without # should finish quickly and throw', () => {
+    const longFragment = '' + '\u0000'.repeat(100000) + '\u0000';
+    const start = Date.now();
+    expect(() => explodeHostedGitFragment(longFragment, reporter)).toThrow();
+    const duration = Date.now() - start;
+    expect(duration).toBeLessThan(MAX_MS);
+  });
+});
diff --git a/src/resolvers/exotics/hosted-git-resolver.js b/src/resolvers/exotics/hosted-git-resolver.js
index 83d4ab20b0..aa6ab043da 100644
--- a/src/resolvers/exotics/hosted-git-resolver.js
+++ b/src/resolvers/exotics/hosted-git-resolver.js
@@ -30,8 +30,9 @@ export function explodeHostedGitFragment(fragment: string, reporter: Reporter):
   }
 
   const parts = fragment
-    .replace(/(.*?)#.*/, '$1') // Strip hash
-    .replace(/.*:(.*)/, '$1') // Strip prefixed protocols
+    .split('#', 1)[0]
+    .split(':')
+    .pop()
     .replace(/.git$/, '') // Strip the .git suffix
     .split('/');