Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-48R7-HPM6-GFXM

Vulnerability from github – Published: 2026-06-15 17:24 – Updated: 2026-07-15 22:04
VLAI
Summary
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
Details

A Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter.

When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).

Impact

1. Server-Side Rendering (SSR)

In Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a JavaScript heap out of memory crash, rendering the application unavailable to all users.

2. Client-Side Rendering (CSR)

In standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser's main thread, causing the browser tab to freeze and become completely unresponsive.

Patched Versions

  • 22.0.1
  • 21.2.17
  • 20.3.25

Attack Preconditions

For this vulnerability to be exploitable, both of the following conditions must be met: 1. Vulnerable Component Usage: The application must format dates using the formatDate utility or the DatePipe. 2. Attacker-Controlled Parameter: The date format string passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preferences, or API responses).

If the date format is hardcoded (e.g., 'mediumDate', 'shortTime', or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "21.0.0-next.0"
            },
            {
              "fixed": "21.2.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0-next.0"
            },
            {
              "fixed": "20.3.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@angular/common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "19.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T17:24:52Z",
    "nvd_published_at": "2026-06-22T16:16:39Z",
    "severity": "HIGH"
  },
  "details": "A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. \n\nWhen parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS).\n\n\n### Impact\n\n#### 1. Server-Side Rendering (SSR)\nIn Angular applications that leverage Server-Side Rendering, an attacker can supply a malicious payload with an excessively long date format string. Processing this on the server causes high CPU usage and triggers a `JavaScript heap out of memory` crash, rendering the application unavailable to all users.\n\n#### 2. Client-Side Rendering (CSR)\nIn standard client-side applications, executing the vulnerable function with an excessively long format string blocks the browser\u0027s main thread, causing the browser tab to freeze and become completely unresponsive.\n\n### Patched Versions\n* 22.0.1  \n* 21.2.17  \n* 20.3.25\n\n### Attack Preconditions\nFor this vulnerability to be exploitable, both of the following conditions must be met:\n1. **Vulnerable Component Usage:** The application must format dates using the `formatDate` utility or the `DatePipe`.\n2. **Attacker-Controlled Parameter:** The date format string passed to these utilities must be customizable or directly controlled by untrusted user input (e.g., parsed from query parameters, user preferences, or API responses).\n\n*If the date format is hardcoded (e.g., `\u0027mediumDate\u0027`, `\u0027shortTime\u0027`, or static strings) or properly validated to be within a reasonable length limit, the application is not vulnerable.*",
  "id": "GHSA-48r7-hpm6-gfxm",
  "modified": "2026-07-15T22:04:14Z",
  "published": "2026-06-15T17:24:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/pull/69197"
    },
    {
      "type": "WEB",
      "url": "https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)"
}

GHSA-497M-753J-QCPH

Vulnerability from github – Published: 2025-06-25 06:30 – Updated: 2025-06-25 06:30
VLAI
Details

Inefficient regular expression complexity issue exists in GROWI prior to v7.1.6. If exploited, a logged-in user may cause a denial of service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43880"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-25T06:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Inefficient regular expression complexity issue exists in GROWI prior to v7.1.6. If exploited, a logged-in user may cause a denial of service (DoS) condition.",
  "id": "GHSA-497m-753j-qcph",
  "modified": "2025-06-25T06:30:24Z",
  "published": "2025-06-25T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/weseek/growi/pull/9487"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN21624250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-49X3-8228-3W3M

Vulnerability from github – Published: 2021-09-20 20:18 – Updated: 2021-09-20 18:59
VLAI
Summary
Inefficient Regular Expression Complexity in code-server
Details

code-server is vulnerable to Inefficient Regular Expression Complexity

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "code-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T18:59:46Z",
    "nvd_published_at": "2021-09-17T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "code-server is vulnerable to Inefficient Regular Expression Complexity",
  "id": "GHSA-49x3-8228-3w3m",
  "modified": "2021-09-20T18:59:46Z",
  "published": "2021-09-20T20:18:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cdr/code-server/commit/ca617df135e78833f93c8320cb2d2cf8bba809f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cdr/code-server"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/38888513-30fc-4d8f-805d-34070d60e223"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in code-server"
}

GHSA-4F3H-89PJ-W84F

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7779"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:37Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly slow down the application\u0027s response time and potentially render it completely unusable.",
  "id": "GHSA-4f3h-89pj-w84f",
  "modified": "2025-03-20T12:32:46Z",
  "published": "2025-03-20T12:32:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7779"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/829f7d9f-8755-4362-bd40-801e4690dcdc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4F6G-68PF-7VHV

Vulnerability from github – Published: 2026-01-09 19:48 – Updated: 2026-01-11 14:53
VLAI
Summary
pypdf has possible long runtimes for malformed startxref
Details

Impact

An attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.

Patches

This has been fixed in pypdf==6.6.0.

Workarounds

from pypdf import PdfReader, PdfWriter


# Instead of
reader = PdfReader("file.pdf")
# use the strict mode:
reader = PdfReader("file.pdf", strict=True)

# Instead of
writer = PdfWriter(clone_from="file.pdf")
# use an explicit strict reader:
writer = PdfWriter(clone_from=PdfReader("file.pdf", strict=True))

Resources

This issue has been fixed in #3594.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pypdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22691"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-09T19:48:57Z",
    "nvd_published_at": "2026-01-10T05:16:08Z",
    "severity": "LOW"
  },
  "details": "### Impact\nAn attacker who exploits this vulnerability can craft a PDF which leads to possibly long runtimes for invalid `startxref` entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected.\n\n### Patches\nThis has been fixed in [pypdf==6.6.0](https://github.com/py-pdf/pypdf/releases/tag/6.6.0).\n\n### Workarounds\n\n```python\nfrom pypdf import PdfReader, PdfWriter\n\n\n# Instead of\nreader = PdfReader(\"file.pdf\")\n# use the strict mode:\nreader = PdfReader(\"file.pdf\", strict=True)\n\n# Instead of\nwriter = PdfWriter(clone_from=\"file.pdf\")\n# use an explicit strict reader:\nwriter = PdfWriter(clone_from=PdfReader(\"file.pdf\", strict=True))\n```\n\n### Resources\nThis issue has been fixed in #3594.",
  "id": "GHSA-4f6g-68pf-7vhv",
  "modified": "2026-01-11T14:53:40Z",
  "published": "2026-01-09T19:48:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-4f6g-68pf-7vhv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/pull/3594"
    },
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/commit/294165726b646bb7799be1cc787f593f2fdbcf45"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/py-pdf/pypdf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/py-pdf/pypdf/releases/tag/6.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pypdf has possible long runtimes for malformed startxref"
}

GHSA-4FR5-6CCQ-75W2

Vulnerability from github – Published: 2024-02-08 00:32 – Updated: 2024-02-08 00:32
VLAI
Details

An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.6.7, all versions starting from 16.7 before 16.7.5, all versions starting from 16.8 before 16.8.2. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-07T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.6.7, all versions starting from 16.7 before 16.7.5, all versions starting from 16.8 before 16.8.2. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.",
  "id": "GHSA-4fr5-6ccq-75w2",
  "modified": "2024-02-08T00:32:19Z",
  "published": "2024-02-08T00:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6736"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2269023"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/435036"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4GMJ-3P3H-GM8H

Vulnerability from github – Published: 2024-02-26 20:01 – Updated: 2024-02-26 20:01
VLAI
Summary
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
Details

Impact

Passing functions with very long names or complex default argument names into function#copy orfunction#toStringTokens may put script to stall

Patches

Fixed with https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 and https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602 Published with v0.10.63

Workarounds

No real workaround aside of refraining from using above utilities.

References

https://github.com/medikoo/es5-ext/issues/201

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "es5-ext"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "0.10.63"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-27088"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-26T20:01:28Z",
    "nvd_published_at": "2024-02-26T17:15:11Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nPassing functions with very long names or complex default argument names into `function#copy` or`function#toStringTokens` may put script to stall\n\n### Patches\nFixed with https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 and https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602\nPublished with v0.10.63\n\n### Workarounds\nNo real workaround aside of refraining from using above utilities.\n\n### References\nhttps://github.com/medikoo/es5-ext/issues/201\n",
  "id": "GHSA-4gmj-3p3h-gm8h",
  "modified": "2024-02-26T20:01:28Z",
  "published": "2024-02-26T20:01:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27088"
    },
    {
      "type": "WEB",
      "url": "https://github.com/medikoo/es5-ext/issues/201"
    },
    {
      "type": "WEB",
      "url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/medikoo/es5-ext"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`"
}

GHSA-4MW5-77QF-JMW4

Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-18 21:30
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-12T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.",
  "id": "GHSA-4mw5-77qf-jmw4",
  "modified": "2023-01-18T21:30:21Z",
  "published": "2023-01-12T06:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3514"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1727201"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-3514.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/377978"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4PM8-RXV6-FRFV

Vulnerability from github – Published: 2024-10-28 15:31 – Updated: 2024-10-28 15:31
VLAI
Details

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-28T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality",
  "id": "GHSA-4pm8-rxv6-frfv",
  "modified": "2024-10-28T15:31:15Z",
  "published": "2024-10-28T15:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50574"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4Q6P-R6V2-JVC5

Vulnerability from github – Published: 2023-09-27 20:16 – Updated: 2023-10-02 21:05
VLAI
Summary
Chaijs/get-func-name vulnerable to ReDoS
Details

The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:

const functionNameMatch = /\s*function(?:\s|\s*\/\*[^(?:*/)]+\*\/\s*)*([^\s(/]+)/;

This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:

'\t'.repeat(54773) + '\t/function/i'

Here is a simple PoC code to demonstrate the issue:

const protocolre = /\sfunction(?:\s|\s/*[^(?:*\/)]+*/\s*)*([^\(\/]+)/;

const startTime = Date.now();
const maliciousInput = '\t'.repeat(54773) + '\t/function/i'

protocolre.test(maliciousInput);

const endTime = Date.now();

console.log("process time: ", endTime - startTime, "ms");
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "get-func-name"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-43646"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-27T20:16:00Z",
    "nvd_published_at": "2023-09-27T15:19:34Z",
    "severity": "HIGH"
  },
  "details": "The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\n\n```js\nconst functionNameMatch = /\\s*function(?:\\s|\\s*\\/\\*[^(?:*/)]+\\*\\/\\s*)*([^\\s(/]+)/;\n```\n\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\n\n```js\n\u0027\\t\u0027.repeat(54773) + \u0027\\t/function/i\u0027\n```\n\nHere is a simple PoC code to demonstrate the issue:\n\n```js\nconst protocolre = /\\sfunction(?:\\s|\\s/*[^(?:*\\/)]+*/\\s*)*([^\\(\\/]+)/;\n\nconst startTime = Date.now();\nconst maliciousInput = \u0027\\t\u0027.repeat(54773) + \u0027\\t/function/i\u0027\n\nprotocolre.test(maliciousInput);\n\nconst endTime = Date.now();\n\nconsole.log(\"process time: \", endTime - startTime, \"ms\");\n```",
  "id": "GHSA-4q6p-r6v2-jvc5",
  "modified": "2023-10-02T21:05:48Z",
  "published": "2023-09-27T20:16:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43646"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chaijs/get-func-name"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Chaijs/get-func-name vulnerable to ReDoS"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.