Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-2WW3-FXVQ-293J

Vulnerability from github – Published: 2021-09-29 17:14 – Updated: 2024-10-07 15:09
VLAI
Summary
NLTK Vulnerable to REDoS
Details

The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [_read_comparison_block()(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file nltk/corpus/reader/comparative_sents.py may cause an application to consume an excessive amount of CPU.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T20:49:37Z",
    "nvd_published_at": "2021-09-27T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [`_read_comparison_block()`(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file `nltk/corpus/reader/comparative_sents.py` may cause an application to consume an excessive amount of CPU.",
  "id": "GHSA-2ww3-fxvq-293j",
  "modified": "2024-10-07T15:09:21Z",
  "published": "2021-09-29T17:14:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/pull/2816"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-2ww3-fxvq-293j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nltk/nltk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NLTK Vulnerable to REDoS"
}

GHSA-2WXG-6MGC-2CM5

Vulnerability from github – Published: 2025-07-05 09:30 – Updated: 2025-07-05 09:30
VLAI
Details

A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-7074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-05T09:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-2wxg-6mgc-2cm5",
  "modified": "2025-07-05T09:30:30Z",
  "published": "2025-07-05T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7074"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vercel/hyper/issues/8098"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.314973"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.314973"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.602353"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-333W-RXJ3-F55R

Vulnerability from github – Published: 2018-07-24 20:00 – Updated: 2024-04-22 19:37
VLAI
Summary
Regular Expression Denial Of Service in uri-js
Details

Affected versions of uri-js is susceptible to a regular expression denial of service vulnerability when user input is sent to the .parse() method.

Recommendation

Update to v3.0.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uri-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-16021"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:53:45Z",
    "nvd_published_at": "2018-06-04T19:29:01Z",
    "severity": "MODERATE"
  },
  "details": "Affected versions of `uri-js` is susceptible to a regular expression denial of service vulnerability when user input is sent to the `.parse()` method.\n\n\n\n## Recommendation\n\nUpdate to v3.0.0 or later.",
  "id": "GHSA-333w-rxj3-f55r",
  "modified": "2024-04-22T19:37:18Z",
  "published": "2018-07-24T20:00:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16021"
    },
    {
      "type": "WEB",
      "url": "https://github.com/garycourt/uri-js/issues/12"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-333w-rxj3-f55r"
    },
    {
      "type": "WEB",
      "url": "https://nodesecurity.io/advisories/100"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/100"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial Of Service in uri-js"
}

GHSA-355V-2RJX-FPX7

Vulnerability from github – Published: 2024-09-27 12:31 – Updated: 2024-10-01 18:32
VLAI
Summary
Inefficient Regular Expression Complexity in langflow
Details

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9277"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-01T18:32:40Z",
    "nvd_published_at": "2024-09-27T11:15:14Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \\src\\backend\\base\\langflow\\interface\\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-355v-2rjx-fpx7",
  "modified": "2024-10-01T18:32:40Z",
  "published": "2024-09-27T12:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9277"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/blob/main/src/backend/base/langflow/interface/utils.py#L65"
    },
    {
      "type": "WEB",
      "url": "https://rumbling-slice-eb0.notion.site/Remote-Redos-in-https-github-com-langflow-ai-langflow-067159ced0d5494e91b06071384969c4?pvs=4"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.278659"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.278659"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.410043"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in langflow"
}

GHSA-35PF-5R93-C5JC

Vulnerability from github – Published: 2026-02-25 21:31 – Updated: 2026-02-25 21:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-25T21:16:36Z",
    "severity": "HIGH"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.",
  "id": "GHSA-35pf-5r93-c5jc",
  "modified": "2026-02-25T21:31:19Z",
  "published": "2026-02-25T21:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1388"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3482893"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/587560"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3653-68V6-RQ57

Vulnerability from github – Published: 2026-05-18 20:23 – Updated: 2026-05-18 20:23
VLAI
Summary
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
Details

Summary

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.

Details

The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:

Entry point 1 — FHIRPathEngine.java:5929 (R5 funcMatches):

private List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) {
    String sw = convertToString(swb); // attacker-controlled regex pattern
    // ...
    Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: no complexity check
    Matcher m = p.matcher(st);                // no timeout
    boolean ok = m.find();

Entry point 2 — FHIRPathEngine.java:5951 (R5 funcMatchesFull):

Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: same pattern
Matcher m = p.matcher(st);
boolean ok = m.matches();

Entry point 3 — FHIRPathEngine.java:5120 (R5 funcReplaceMatches):

result.add(new StringType(convertToString(focus.get(0))
    .replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally

The same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.

Why this is exploitable: - No timeout mechanism covers FHIRPath evaluation — the ValidationTimeout class only protects InstanceValidator operations, not evaluateFhirPath() - Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity)

Impact

  • CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:23:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAll implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java\u0027s `Pattern.compile()` and `String.replaceAll()` without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.\n\n## Details\n\nThe vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:\n\n\n**Entry point 1 \u2014 `FHIRPathEngine.java:5929` (R5 `funcMatches`):**\n```java\nprivate List\u003cBase\u003e funcMatches(ExecutionContext context, List\u003cBase\u003e focus, ExpressionNode exp) {\n    String sw = convertToString(swb); // attacker-controlled regex pattern\n    // ...\n    Pattern p = Pattern.compile(\"(?s)\" + sw); // VULNERABLE: no complexity check\n    Matcher m = p.matcher(st);                // no timeout\n    boolean ok = m.find();\n```\n\n**Entry point 2 \u2014 `FHIRPathEngine.java:5951` (R5 `funcMatchesFull`):**\n```java\nPattern p = Pattern.compile(\"(?s)\" + sw); // VULNERABLE: same pattern\nMatcher m = p.matcher(st);\nboolean ok = m.matches();\n```\n\n**Entry point 3 \u2014 `FHIRPathEngine.java:5120` (R5 `funcReplaceMatches`):**\n```java\nresult.add(new StringType(convertToString(focus.get(0))\n    .replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally\n```\n\nThe same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.\n\n**Why this is exploitable:**\n- No timeout mechanism covers FHIRPath evaluation \u2014 the `ValidationTimeout` class only protects `InstanceValidator` operations, not `evaluateFhirPath()`\n- Java\u0027s `Pattern.compile()` with a pattern like `(a+)+$` against input `\"aaaaaaaaaaaaaaaaaaaaaa!\"` causes exponential backtracking (O(2^n) time complexity)\n\n\n## Impact\n\n- **CPU Exhaustion:** The exponential backtracking in Java\u0027s regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.",
  "id": "GHSA-3653-68v6-rq57",
  "modified": "2026-05-18T20:23:54Z",
  "published": "2026-05-18T20:23:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint"
}

GHSA-37CH-88JC-XWX2

Vulnerability from github – Published: 2026-03-27 20:04 – Updated: 2026-03-27 20:04
VLAI
Summary
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Details

Impact

A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.

Patches

Upgrade to path-to-regexp@0.1.13

Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "path-to-regexp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-27T20:04:53Z",
    "nvd_published_at": "2026-03-26T17:16:42Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b-:c` or `/:a-:b-:c-:d`. The backtrack protection added in `path-to-regexp@0.1.12` only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\n### Patches\n\nUpgrade to [path-to-regexp@0.1.13](https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13)\n\nCustom regex patterns in route definitions (e.g., `/:a-:b([^-/]+)-:c([^-/]+)`) are not affected because they override the default capture group.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b-:c` to `/:a-:b([^-/]+)-:c([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.\n\n### References\n\n- [GHSA-9wv6-86v2-598j](https://github.com/advisories/GHSA-9wv6-86v2-598j)\n- [Detailed blog post: ReDoS the web](https://blakeembrey.com/posts/2024-09-web-redos/)",
  "id": "GHSA-37ch-88jc-xwx2",
  "modified": "2026-03-27T20:04:53Z",
  "published": "2026-03-27T20:04:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4867"
    },
    {
      "type": "WEB",
      "url": "https://blakeembrey.com/posts/2024-09-web-redos"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pillarjs/path-to-regexp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"
}

GHSA-37MW-44QP-F5JM

Vulnerability from github – Published: 2025-07-11 12:30 – Updated: 2025-08-07 14:55
VLAI
Summary
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's token2json() method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern <s_(.*?)> which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.51.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.52.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-11T19:55:38Z",
    "nvd_published_at": "2025-07-11T10:15:22Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class\u0027s `token2json()` method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `\u003cs_(.*?)\u003e` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.",
  "id": "GHSA-37mw-44qp-f5jm",
  "modified": "2025-08-07T14:55:33Z",
  "published": "2025-07-11T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3933"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/pull/37788"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Transformers is vulnerable to ReDoS attack through its DonutProcessor class"
}

GHSA-38C4-R59V-3VQW

Vulnerability from github – Published: 2026-02-12 06:30 – Updated: 2026-02-13 20:04
VLAI
Summary
markdown-it is has a Regular Expression Denial of Service (ReDoS)
Details

Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "markdown-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "14.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-13T20:04:39Z",
    "nvd_published_at": "2026-02-12T06:16:02Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.",
  "id": "GHSA-38c4-r59v-3vqw",
  "modified": "2026-02-13T20:04:39Z",
  "published": "2026-02-12T06:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markdown-it/markdown-it"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs#L33"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)"
}

GHSA-38J3-6FM8-PFGC

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 21:25
VLAI
Summary
Regular expression denial of service in Delight Nashorn Sandbox
Details

An issue was discovered in Delight Nashorn Sandbox. There is an ReDoS vulnerability that can be exploited to launching a denial of service (DoS) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.javadelight:delight-nashorn-sandbox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-40660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T01:14:44Z",
    "nvd_published_at": "2022-06-14T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Delight Nashorn Sandbox. There is an ReDoS vulnerability that can be exploited to launching a denial of service (DoS) attack.",
  "id": "GHSA-38j3-6fm8-pfgc",
  "modified": "2022-06-23T21:25:08Z",
  "published": "2022-06-15T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40660"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javadelight/delight-nashorn-sandbox/issues/117"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javadelight/delight-nashorn-sandbox/issues/117#issuecomment-1564983722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javadelight/delight-nashorn-sandbox/pull/139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javadelight/delight-nashorn-sandbox/commit/b899b8ecad46090fdc042ac7683e1164114a69de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/javadelight/delight-nashorn-sandbox"
    },
    {
      "type": "WEB",
      "url": "https://github.com/javadelight/delight-nashorn-sandbox/releases/tag/0.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in Delight Nashorn Sandbox"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.