CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
CVE-2025-24026 (GCVE-0-2025-24026)
Vulnerability from cvelistv5 – Published: 2025-05-14 14:59 – Updated: 2025-05-14 15:10- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/Combodo/iTop/security/advisori… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T15:10:48.040848Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T15:10:59.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iTop",
"vendor": "Combodo",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn\u0027t use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T14:59:47.581Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Combodo/iTop/security/advisories/GHSA-9g7f-jmc3-rrmf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Combodo/iTop/security/advisories/GHSA-9g7f-jmc3-rrmf"
}
],
"source": {
"advisory": "GHSA-9g7f-jmc3-rrmf",
"discovery": "UNKNOWN"
},
"title": "iTop Inefficient Regular Expression Complexity vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24026",
"datePublished": "2025-05-14T14:59:47.581Z",
"dateReserved": "2025-01-16T17:31:06.460Z",
"dateUpdated": "2025-05-14T15:10:59.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10990 (GCVE-0-2025-10990)
Vulnerability from cvelistv5 – Published: 2026-02-27 13:32 – Updated: 2026-06-25 23:53- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:17606 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:17613 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2025:17693 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2025-10990 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2398216 | issue-trackingx_refsource_REDHAT |
| https://github.com/ruby/rexml/commit/ce59f2eb1aeb… | |
| https://github.com/ruby/rexml/security/advisories… | |
| https://www.ruby-lang.org/en/news/2024/10/28/redo… |
| Vendor | Product | Version | |
|---|---|---|---|
|
Unaffected:
6.17.5
Unaffected: 6.16.5.4 |
|||
| Red Hat | Red Hat Satellite 6.16 for RHEL 8 |
Unaffected:
0:8.8.1-3.el8sat , < *
(rpm)
cpe:/a:redhat:satellite:6.16::el8 cpe:/a:redhat:satellite:6.16::el9 cpe:/a:redhat:satellite_capsule:6.16::el8 cpe:/a:redhat:satellite_capsule:6.16::el9 cpe:/a:redhat:satellite_utils:6.16::el8 cpe:/a:redhat:satellite_utils:6.16::el9 |
|
| Red Hat | Red Hat Satellite 6.16 for RHEL 9 |
Unaffected:
0:8.8.1-3.el9sat , < *
(rpm)
cpe:/a:redhat:satellite:6.16::el8 cpe:/a:redhat:satellite:6.16::el9 cpe:/a:redhat:satellite_capsule:6.16::el8 cpe:/a:redhat:satellite_capsule:6.16::el9 cpe:/a:redhat:satellite_utils:6.16::el8 cpe:/a:redhat:satellite_utils:6.16::el9 |
|
| Red Hat | Red Hat Satellite 6.17 for RHEL 9 |
Unaffected:
0:8.8.1-3.el9sat , < *
(rpm)
cpe:/a:redhat:satellite:6.17::el9 cpe:/a:redhat:satellite_capsule:6.17::el9 cpe:/a:redhat:satellite_utils:6.17::el9 |
|
| Red Hat | Satellite Client 6 for RHEL 8 |
Unaffected:
0:7.34.0-4.el8sat , < *
(rpm)
cpe:/a:redhat:rhel_satellite_client:6::el8 cpe:/a:redhat:rhel_satellite_client:6::el9 |
|
| Red Hat | Satellite Client 6 for RHEL 9 |
Unaffected:
0:7.34.0-4.el9sat , < *
(rpm)
cpe:/a:redhat:rhel_satellite_client:6::el8 cpe:/a:redhat:rhel_satellite_client:6::el9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10990",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:43:48.686335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:43:57.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.redhat.com/en/technologies/management/satellite",
"defaultStatus": "unaffected",
"packageName": "Red Hat Satellite",
"versions": [
{
"status": "unaffected",
"version": "6.17.5"
},
{
"status": "unaffected",
"version": "6.16.5.4"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.16::el8",
"cpe:/a:redhat:satellite:6.16::el9",
"cpe:/a:redhat:satellite_capsule:6.16::el8",
"cpe:/a:redhat:satellite_capsule:6.16::el9",
"cpe:/a:redhat:satellite_utils:6.16::el8",
"cpe:/a:redhat:satellite_utils:6.16::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Red Hat Satellite 6.16 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.8.1-3.el8sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.16::el8",
"cpe:/a:redhat:satellite:6.16::el9",
"cpe:/a:redhat:satellite_capsule:6.16::el8",
"cpe:/a:redhat:satellite_capsule:6.16::el9",
"cpe:/a:redhat:satellite_utils:6.16::el8",
"cpe:/a:redhat:satellite_utils:6.16::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Red Hat Satellite 6.16 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.8.1-3.el8sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.16::el8",
"cpe:/a:redhat:satellite:6.16::el9",
"cpe:/a:redhat:satellite_capsule:6.16::el8",
"cpe:/a:redhat:satellite_capsule:6.16::el9",
"cpe:/a:redhat:satellite_utils:6.16::el8",
"cpe:/a:redhat:satellite_utils:6.16::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Red Hat Satellite 6.16 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.8.1-3.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.16::el8",
"cpe:/a:redhat:satellite:6.16::el9",
"cpe:/a:redhat:satellite_capsule:6.16::el8",
"cpe:/a:redhat:satellite_capsule:6.16::el9",
"cpe:/a:redhat:satellite_utils:6.16::el8",
"cpe:/a:redhat:satellite_utils:6.16::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Red Hat Satellite 6.16 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.8.1-3.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.17::el9",
"cpe:/a:redhat:satellite_capsule:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.8.1-3.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:satellite:6.17::el9",
"cpe:/a:redhat:satellite_capsule:6.17::el9",
"cpe:/a:redhat:satellite_utils:6.17::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Red Hat Satellite 6.17 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:8.8.1-3.el9sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_satellite_client:6::el8",
"cpe:/a:redhat:rhel_satellite_client:6::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Satellite Client 6 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.34.0-4.el8sat",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_satellite_client:6::el8",
"cpe:/a:redhat:rhel_satellite_client:6::el9"
],
"defaultStatus": "affected",
"packageName": "puppet-agent",
"product": "Satellite Client 6 for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:7.34.0-4.el9sat",
"versionType": "rpm"
}
]
}
],
"datePublic": "2025-09-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (\u0026#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of the affected component. This issue is the result of an incomplete fix for CVE-2024-49761."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T23:53:54.096Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2025:17606",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:17606"
},
{
"name": "RHSA-2025:17613",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:17613"
},
{
"name": "RHSA-2025:17693",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2025:17693"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2025-10990"
},
{
"name": "RHBZ#2398216",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2398216"
},
{
"url": "https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f"
},
{
"url": "https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m"
},
{
"url": "https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-25T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2025-09-25T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Rexml: rexml: denial of service via inefficient regex parsing",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-1333: Inefficient Regular Expression Complexity"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2025-10990",
"datePublished": "2026-02-27T13:32:02.309Z",
"dateReserved": "2025-09-25T17:30:55.821Z",
"dateUpdated": "2026-06-25T23:53:54.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9670 (GCVE-0-2025-9670)
Vulnerability from cvelistv5 – Published: 2025-08-29 19:02 – Updated: 2025-08-29 19:19| URL | Tags |
|---|---|
| https://vuldb.com/?id.321880 | vdb-entry |
| https://vuldb.com/?ctiid.321880 | signaturepermissions-required |
| https://vuldb.com/?submit.637911 | third-party-advisory |
| https://github.com/mixmark-io/turndown/issues/501 | issue-tracking |
| https://github.com/mixmark-io/turndown/issues/501… | exploitissue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| mixmark-io | turndown |
Affected:
7.2.0
Affected: 7.2.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9670",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T19:18:59.767313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T19:19:09.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "turndown",
"vendor": "mixmark-io",
"versions": [
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.2.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "CrazzyHe (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in mixmark-io turndown bis 7.2.1 gefunden. Hierbei betrifft es unbekannten Programmcode der Datei src/commonmark-rules.js. Mittels Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T19:02:08.787Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-321880 | mixmark-io turndown commonmark-rules.js redos",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.321880"
},
{
"name": "VDB-321880 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.321880"
},
{
"name": "Submit #637911 | turndown npm v7.2.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.637911"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/mixmark-io/turndown/issues/501"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/mixmark-io/turndown/issues/501#issue-3336342088"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-29T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-29T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-29T12:10:55.000Z",
"value": "VulDB entry last update"
}
],
"title": "mixmark-io turndown commonmark-rules.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9670",
"datePublished": "2025-08-29T19:02:08.787Z",
"dateReserved": "2025-08-29T10:03:52.218Z",
"dateUpdated": "2025-08-29T19:19:09.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9308 (GCVE-0-2025-9308)
Vulnerability from cvelistv5 – Published: 2025-08-21 16:02 – Updated: 2025-08-21 17:32 Unsupported When Assigned| URL | Tags |
|---|---|
| https://vuldb.com/?id.320913 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.320913 | signaturepermissions-required |
| https://vuldb.com/?submit.633486 | third-party-advisory |
| https://github.com/yarnpkg/yarn/pull/9203 | issue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| yarnpkg | Yarn |
Affected:
1.22.0
Affected: 1.22.1 Affected: 1.22.2 Affected: 1.22.3 Affected: 1.22.4 Affected: 1.22.5 Affected: 1.22.6 Affected: 1.22.7 Affected: 1.22.8 Affected: 1.22.9 Affected: 1.22.10 Affected: 1.22.11 Affected: 1.22.12 Affected: 1.22.13 Affected: 1.22.14 Affected: 1.22.15 Affected: 1.22.16 Affected: 1.22.17 Affected: 1.22.18 Affected: 1.22.19 Affected: 1.22.20 Affected: 1.22.21 Affected: 1.22.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T17:24:36.331263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T17:32:14.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/yarnpkg/yarn/pull/9203"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "yarnpkg",
"versions": [
{
"status": "affected",
"version": "1.22.0"
},
{
"status": "affected",
"version": "1.22.1"
},
{
"status": "affected",
"version": "1.22.2"
},
{
"status": "affected",
"version": "1.22.3"
},
{
"status": "affected",
"version": "1.22.4"
},
{
"status": "affected",
"version": "1.22.5"
},
{
"status": "affected",
"version": "1.22.6"
},
{
"status": "affected",
"version": "1.22.7"
},
{
"status": "affected",
"version": "1.22.8"
},
{
"status": "affected",
"version": "1.22.9"
},
{
"status": "affected",
"version": "1.22.10"
},
{
"status": "affected",
"version": "1.22.11"
},
{
"status": "affected",
"version": "1.22.12"
},
{
"status": "affected",
"version": "1.22.13"
},
{
"status": "affected",
"version": "1.22.14"
},
{
"status": "affected",
"version": "1.22.15"
},
{
"status": "affected",
"version": "1.22.16"
},
{
"status": "affected",
"version": "1.22.17"
},
{
"status": "affected",
"version": "1.22.18"
},
{
"status": "affected",
"version": "1.22.19"
},
{
"status": "affected",
"version": "1.22.20"
},
{
"status": "affected",
"version": "1.22.21"
},
{
"status": "affected",
"version": "1.22.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in yarnpkg Yarn bis 1.22.22 entdeckt. Betroffen hiervon ist die Funktion setOptions der Datei src/util/request-manager.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff muss auf lokaler Ebene erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T16:02:12.172Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320913 | yarnpkg Yarn request-manager.js setOptions redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.320913"
},
{
"name": "VDB-320913 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320913"
},
{
"name": "Submit #633486 | yarn Yarn src/util/request-manager.js v1.22.22 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.633486"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yarnpkg/yarn/pull/9203"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-21T08:03:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "yarnpkg Yarn request-manager.js setOptions redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9308",
"datePublished": "2025-08-21T16:02:12.172Z",
"dateReserved": "2025-08-21T05:58:24.411Z",
"dateUpdated": "2025-08-21T17:32:14.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8262 (GCVE-0-2025-8262)
Vulnerability from cvelistv5 – Published: 2025-07-28 07:02 – Updated: 2025-07-28 17:16| URL | Tags |
|---|---|
| https://vuldb.com/?id.317850 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.317850 | signaturepermissions-required |
| https://vuldb.com/?submit.617393 | third-party-advisory |
| https://github.com/yarnpkg/yarn/pull/9199 | issue-tracking |
| https://github.com/yarnpkg/yarn/pull/9199/commits… | issue-trackingpatch |
| Vendor | Product | Version | |
|---|---|---|---|
| yarnpkg | Yarn |
Affected:
1.22.0
Affected: 1.22.1 Affected: 1.22.2 Affected: 1.22.3 Affected: 1.22.4 Affected: 1.22.5 Affected: 1.22.6 Affected: 1.22.7 Affected: 1.22.8 Affected: 1.22.9 Affected: 1.22.10 Affected: 1.22.11 Affected: 1.22.12 Affected: 1.22.13 Affected: 1.22.14 Affected: 1.22.15 Affected: 1.22.16 Affected: 1.22.17 Affected: 1.22.18 Affected: 1.22.19 Affected: 1.22.20 Affected: 1.22.21 Affected: 1.22.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T17:13:41.425895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T17:16:45.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "yarnpkg",
"versions": [
{
"status": "affected",
"version": "1.22.0"
},
{
"status": "affected",
"version": "1.22.1"
},
{
"status": "affected",
"version": "1.22.2"
},
{
"status": "affected",
"version": "1.22.3"
},
{
"status": "affected",
"version": "1.22.4"
},
{
"status": "affected",
"version": "1.22.5"
},
{
"status": "affected",
"version": "1.22.6"
},
{
"status": "affected",
"version": "1.22.7"
},
{
"status": "affected",
"version": "1.22.8"
},
{
"status": "affected",
"version": "1.22.9"
},
{
"status": "affected",
"version": "1.22.10"
},
{
"status": "affected",
"version": "1.22.11"
},
{
"status": "affected",
"version": "1.22.12"
},
{
"status": "affected",
"version": "1.22.13"
},
{
"status": "affected",
"version": "1.22.14"
},
{
"status": "affected",
"version": "1.22.15"
},
{
"status": "affected",
"version": "1.22.16"
},
{
"status": "affected",
"version": "1.22.17"
},
{
"status": "affected",
"version": "1.22.18"
},
{
"status": "affected",
"version": "1.22.19"
},
{
"status": "affected",
"version": "1.22.20"
},
{
"status": "affected",
"version": "1.22.21"
},
{
"status": "affected",
"version": "1.22.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in yarnpkg Yarn bis 1.22.22 ausgemacht. Es betrifft die Funktion explodeHostedGitFragment der Datei src/resolvers/exotics/hosted-git-resolver.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Patch wird als 97731871e674bf93bcbf29e9d3258da8685f3076 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T07:02:05.616Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-317850 | yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.317850"
},
{
"name": "VDB-317850 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.317850"
},
{
"name": "Submit #617393 | Yarn v1.22.22 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.617393"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yarnpkg/yarn/pull/9199"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-26T18:29:39.000Z",
"value": "VulDB entry last update"
}
],
"title": "yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8262",
"datePublished": "2025-07-28T07:02:05.616Z",
"dateReserved": "2025-07-26T16:24:06.079Z",
"dateUpdated": "2025-07-28T17:16:45.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7579 (GCVE-0-2025-7579)
Vulnerability from cvelistv5 – Published: 2025-07-14 06:14 – Updated: 2025-07-14 13:08| URL | Tags |
|---|---|
| https://vuldb.com/?id.316277 | vdb-entry |
| https://vuldb.com/?ctiid.316277 | signaturepermissions-required |
| https://vuldb.com/?submit.609704 | third-party-advisory |
| https://github.com/chinese-poetry/chinese-poetry/… | issue-tracking |
| https://github.com/chinese-poetry/chinese-poetry/… | exploitissue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | chinese-poetry |
Affected:
0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7579",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T13:05:33.108252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T13:08:00.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chinese-poetry",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in chinese-poetry 0.1. It has been rated as problematic. This issue affects some unknown processing of the file rank/server.js. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in chinese-poetry 0.1 ausgemacht. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Datei rank/server.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T06:14:06.008Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-316277 | chinese-poetry server.js redos",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.316277"
},
{
"name": "VDB-316277 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.316277"
},
{
"name": "Submit #609704 | chinese-poetry \u003c=v0.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.609704"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/chinese-poetry/chinese-poetry/issues/396"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/chinese-poetry/chinese-poetry/issues/396#issue-3204562392"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-13T09:55:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "chinese-poetry server.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-7579",
"datePublished": "2025-07-14T06:14:06.008Z",
"dateReserved": "2025-07-13T07:50:03.655Z",
"dateUpdated": "2025-07-14T13:08:00.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7074 (GCVE-0-2025-7074)
Vulnerability from cvelistv5 – Published: 2025-07-05 09:02 – Updated: 2025-07-07 16:06| URL | Tags |
|---|---|
| https://vuldb.com/?id.314973 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.314973 | signaturepermissions-required |
| https://vuldb.com/?submit.602353 | third-party-advisory |
| https://github.com/vercel/hyper/issues/8098 | exploitissue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T16:06:51.371292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T16:06:53.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vercel/hyper/issues/8098"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hyper",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "3.4.0"
},
{
"status": "affected",
"version": "3.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in vercel hyper bis 3.4.1 entdeckt. Sie wurde als problematisch eingestuft. Dabei betrifft es die Funktion expand/braceExpand/ignoreMap der Datei hyper/bin/rimraf-standalone.js. Durch Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-05T09:02:05.339Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-314973 | vercel hyper rimraf-standalone.js ignoreMap redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.314973"
},
{
"name": "VDB-314973 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.314973"
},
{
"name": "Submit #602353 | vercel hyper \u003e=18.2.79 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.602353"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/vercel/hyper/issues/8098"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-04T18:52:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "vercel hyper rimraf-standalone.js ignoreMap redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-7074",
"datePublished": "2025-07-05T09:02:05.339Z",
"dateReserved": "2025-07-04T16:47:23.277Z",
"dateUpdated": "2025-07-07T16:06:53.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6998 (GCVE-0-2025-6998)
Vulnerability from cvelistv5 – Published: 2025-07-24 19:39 – Updated: 2025-07-25 13:17- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/megadeth | third-party-advisory |
| https://github.com/janeczku/calibre-web | product |
| https://github.com/gelbphoenix/autocaliweb | product |
| Vendor | Product | Version | |
|---|---|---|---|
| Calibre Web | Calibre Web |
Affected:
0.6.24
(custom)
|
|
| Autocaliweb | Autocaliweb |
Affected:
0.7.0 , < 0.7.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6998",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-24T19:50:08.633333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T19:50:16.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Calibre Web",
"vendor": "Calibre Web",
"versions": [
{
"status": "affected",
"version": "0.6.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Autocaliweb",
"vendor": "Autocaliweb",
"versions": [
{
"lessThan": "0.7.1",
"status": "affected",
"version": "0.7.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:calibre_web:calibre_web:0.6.24:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autocaliweb:autocaliweb:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "0.7.1",
"versionStartIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eReDoS in strip_whitespaces() function in cps/string_helper.py\u003c/span\u003e in Calibre Web and Autocaliweb allows\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eunauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u0026nbsp;\u003c/span\u003eThis issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."
}
],
"value": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows\u00a0unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u00a0This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-492",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-492 Regular Expression Exponential Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T13:17:33.295Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/megadeth"
},
{
"tags": [
"product"
],
"url": "https://github.com/janeczku/calibre-web"
},
{
"tags": [
"product"
],
"url": "https://github.com/gelbphoenix/autocaliweb"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calibre Web 0.6.24 \u0026 Autocaliweb 0.7.0 - ReDoS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2025-6998",
"datePublished": "2025-07-24T19:39:17.709Z",
"dateReserved": "2025-07-01T23:26:57.856Z",
"dateUpdated": "2025-07-25T13:17:33.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6638 (GCVE-0-2025-6638)
Vulnerability from cvelistv5 – Published: 2025-09-12 10:46 – Updated: 2025-09-12 11:52- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.53.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6638",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-12T11:52:42.923436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T11:52:53.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.53.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer\u0027s `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T10:46:07.934Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"
},
{
"url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"
}
],
"source": {
"advisory": "6a6c933f-9ce8-4ded-8b3b-2c1444c61f36",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-6638",
"datePublished": "2025-09-12T10:46:07.934Z",
"dateReserved": "2025-06-25T14:07:29.841Z",
"dateUpdated": "2025-09-12T11:52:53.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6493 (GCVE-0-2025-6493)
Vulnerability from cvelistv5 – Published: 2025-06-22 22:00 – Updated: 2025-09-29 13:48| URL | Tags |
|---|---|
| https://vuldb.com/?id.313610 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.313610 | signaturepermissions-required |
| https://vuldb.com/?submit.598875 | third-party-advisory |
| https://github.com/codemirror/codemirror5/issues/7128 | exploitissue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | CodeMirror |
Affected:
5.65.0
Affected: 5.65.1 Affected: 5.65.2 Affected: 5.65.3 Affected: 5.65.4 Affected: 5.65.5 Affected: 5.65.6 Affected: 5.65.7 Affected: 5.65.8 Affected: 5.65.9 Affected: 5.65.10 Affected: 5.65.11 Affected: 5.65.12 Affected: 5.65.13 Affected: 5.65.14 Affected: 5.65.15 Affected: 5.65.16 Affected: 5.65.17 Affected: 5.65.18 Affected: 5.65.19 Affected: 5.65.20 Unaffected: 6.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6493",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T15:43:06.172562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T16:15:08.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Markdown Mode"
],
"product": "CodeMirror",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "5.65.0"
},
{
"status": "affected",
"version": "5.65.1"
},
{
"status": "affected",
"version": "5.65.2"
},
{
"status": "affected",
"version": "5.65.3"
},
{
"status": "affected",
"version": "5.65.4"
},
{
"status": "affected",
"version": "5.65.5"
},
{
"status": "affected",
"version": "5.65.6"
},
{
"status": "affected",
"version": "5.65.7"
},
{
"status": "affected",
"version": "5.65.8"
},
{
"status": "affected",
"version": "5.65.9"
},
{
"status": "affected",
"version": "5.65.10"
},
{
"status": "affected",
"version": "5.65.11"
},
{
"status": "affected",
"version": "5.65.12"
},
{
"status": "affected",
"version": "5.65.13"
},
{
"status": "affected",
"version": "5.65.14"
},
{
"status": "affected",
"version": "5.65.15"
},
{
"status": "affected",
"version": "5.65.16"
},
{
"status": "affected",
"version": "5.65.17"
},
{
"status": "affected",
"version": "5.65.18"
},
{
"status": "affected",
"version": "5.65.19"
},
{
"status": "affected",
"version": "5.65.20"
},
{
"status": "unaffected",
"version": "6.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in CodeMirror up to 5.65.20. Affected is an unknown function of the file mode/markdown/markdown.js of the component Markdown Mode. This manipulation causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. Upgrading to version 6.0 is able to address this issue. You should upgrade the affected component. Not all code samples mentioned in the GitHub issue can be found. The repository mentions, that \"CodeMirror 6 exists, and is [...] much more actively maintained.\""
},
{
"lang": "de",
"value": "In CodeMirror up to 5.65.20 wurde eine Schwachstelle gefunden. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei mode/markdown/markdown.js der Komponente Markdown Mode. Durch Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Das Problem kann durch ein Upgrade auf Version 6.0 adressiert werden. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T13:48:37.784Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-313610 | CodeMirror Markdown Mode markdown.js redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.313610"
},
{
"name": "VDB-313610 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.313610"
},
{
"name": "Submit #598875 | codemirror codemirror5 \u003c=5.17.0 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.598875"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/codemirror/codemirror5/issues/7128"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-22T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-09-29T15:53:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "CodeMirror Markdown Mode markdown.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-6493",
"datePublished": "2025-06-22T22:00:10.483Z",
"dateReserved": "2025-06-22T06:17:29.313Z",
"dateUpdated": "2025-09-29T13:48:37.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.