Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-93PM-5P5F-3GHX

Vulnerability from github – Published: 2023-01-18 18:24 – Updated: 2023-10-23 19:18
VLAI
Summary
Denial of Service Vulnerability in Rack Content-Disposition parsing
Details

There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1 Impact

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Releases

The fixed releases are available at the normal locations. Workarounds

There are no feasible workarounds for this issue. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series
2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series
2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series
3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.0"
            },
            {
              "fixed": "3.0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-44571"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-18T18:24:40Z",
    "nvd_published_at": "2023-02-09T20:15:00Z",
    "severity": "LOW"
  },
  "details": "There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.\n\nVersions Affected: \u003e= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1\nImpact\n\nCarefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.\nReleases\n\nThe fixed releases are available at the normal locations.\nWorkarounds\n\nThere are no feasible workarounds for this issue.\nPatches\n\nTo aid users who aren\u2019t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n    2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series\n    2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series\n    2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series\n    3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series\n",
  "id": "GHSA-93pm-5p5f-3ghx",
  "modified": "2023-10-23T19:18:08Z",
  "published": "2023-01-18T18:24:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44571"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/releases/tag/v3.0.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Denial of Service Vulnerability in Rack Content-Disposition parsing"
}

GHSA-93Q8-GQ69-WQMW

Vulnerability from github – Published: 2021-09-20 20:20 – Updated: 2023-09-11 16:42
VLAI
Summary
Inefficient Regular Expression Complexity in chalk/ansi-regex
Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.

Proof of Concept

import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = "\u001B["+";".repeat(i*10000);
    ansiRegex().test(attack_str)
    var time_cost = Date.now() - time;
    console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}

The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ansi-regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ansi-regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ansi-regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ansi-regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T18:56:22Z",
    "nvd_published_at": "2021-09-17T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\n\n**Proof of Concept**\n```js\nimport ansiRegex from \u0027ansi-regex\u0027;\nfor(var i = 1; i \u003c= 50000; i++) {\n    var time = Date.now();\n    var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\n    ansiRegex().test(attack_str)\n    var time_cost = Date.now() - time;\n    console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n}\n```\nThe ReDOS is mainly due to the sub-patterns `[[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#\u0026.:=?%@~_]*)*`",
  "id": "GHSA-93q8-gq69-wqmw",
  "modified": "2023-09-11T16:42:11Z",
  "published": "2021-09-20T20:20:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8"
    },
    {
      "type": "WEB",
      "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chalk/ansi-regex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221014-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in chalk/ansi-regex"
}

GHSA-94CM-J3MF-Q873

Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 21:30
VLAI
Details

A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5895"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-09T20:15:25Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.",
  "id": "GHSA-94cm-j3mf-q873",
  "modified": "2025-06-09T21:30:51Z",
  "published": "2025-06-09T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5895"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metabase/metabase/pull/57011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.311667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.311667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.585795"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-952P-6RRQ-RCJV

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-08-28 13:12
VLAI
Summary
Regular Expression Denial of Service (ReDoS) in micromatch
Details

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "micromatch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-4067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-21T22:58:52Z",
    "nvd_published_at": "2024-05-14T15:42:47Z",
    "severity": "MODERATE"
  },
  "details": "The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn\u0027t find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won\u0027t start backtracking the regular expression due to greedy matching.\n",
  "id": "GHSA-952p-6rrq-rcjv",
  "modified": "2024-08-28T13:12:26Z",
  "published": "2024-05-14T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/issues/243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/pull/247"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/pull/266"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0"
    },
    {
      "type": "WEB",
      "url": "https://advisory.checkmarx.net/advisory/CVE-2024-4067"
    },
    {
      "type": "WEB",
      "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micromatch/micromatch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micromatch/micromatch/releases/tag/4.0.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDoS) in micromatch"
}

GHSA-95F6-RFPG-C3W8

Vulnerability from github – Published: 2026-06-02 00:31 – Updated: 2026-07-09 13:43
VLAI
Summary
Claw Orchestrator has inefficient regular expression complexity via validateRegex()
Details

A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@enderfga/claw-orchestrator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-10291"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:43:46Z",
    "nvd_published_at": "2026-06-01T22:16:24Z",
    "severity": "MODERATE"
  },
  "details": "A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.",
  "id": "GHSA-95f6-rfpg-c3w8",
  "modified": "2026-07-09T13:43:46Z",
  "published": "2026-06-02T00:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10291"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Enderfga/claw-orchestrator/issues/64"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Enderfga/claw-orchestrator/issues/64#issuecomment-4421942196"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Enderfga/claw-orchestrator/commit/3f970a974c65a94555c25af9f2796f11315e4584"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Enderfga/claw-orchestrator"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.7.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-10291"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/826222"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/367584"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/367584/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Claw Orchestrator has inefficient regular expression complexity via validateRegex()"
}

GHSA-968P-4WVH-CQC8

Vulnerability from github – Published: 2025-03-11 20:30 – Updated: 2025-04-16 15:39
VLAI
Summary
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Details

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true: - You use Babel to compile regular expression named capturing groups - You use the .replace method on a regular expression that contains named capturing groups - Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if: - you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 - you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/helpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/helpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T20:30:18Z",
    "nvd_published_at": "2025-03-11T20:15:18Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).\n\nYour generated code is vulnerable if _all_ the following conditions are true:\n- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)\n- You use the `.replace` method on a regular expression that contains named capturing groups\n- **Your code uses untrusted strings as the second argument of `.replace`**\n\nIf you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:\n- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23\n- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10\n\nYou can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).\n\n\n### Patches\n\nThis problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It\u0027s likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.\n\nPlease note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.\n\n### Workarounds\n\nIf you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$\u003c` if it\u0027s then not followed by `\u003e` (possibly with other characters in between).\n\n### References\n\nThis vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.",
  "id": "GHSA-968p-4wvh-cqc8",
  "modified": "2025-04-16T15:39:50Z",
  "published": "2025-03-11T20:30:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/pull/17173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/babel/babel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"
}

GHSA-994J-5C83-R424

Vulnerability from github – Published: 2025-06-30 18:31 – Updated: 2025-06-30 21:39
VLAI
Summary
string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS)
Details

string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "string-math"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-45143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-30T21:39:23Z",
    "nvd_published_at": "2025-06-30T17:15:32Z",
    "severity": "LOW"
  },
  "details": "string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.",
  "id": "GHSA-994j-5c83-r424",
  "modified": "2025-06-30T21:39:23Z",
  "published": "2025-06-30T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45143"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/361608bccedb808061359481fe2f1b39"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devrafalko/string-math"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devrafalko/string-math/blob/master/string-math.js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/string-math%2C"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "string-math\u0027s string-math.js vulnerability can cause Regex Denial of Service (ReDoS) "
}

GHSA-997P-PQQ2-W5F5

Vulnerability from github – Published: 2024-04-12 03:30 – Updated: 2024-04-12 03:30
VLAI
Details

A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T01:15:57Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.",
  "id": "GHSA-997p-pqq2-w5f5",
  "modified": "2024-04-12T03:30:42Z",
  "published": "2024-04-12T03:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6489"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2262450"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/433520"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FRC-8383-795M

Vulnerability from github – Published: 2026-05-27 21:34 – Updated: 2026-05-27 21:34
VLAI
Summary
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Details

Description

Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.

Resolution

The four regexes in Parser::cleanup() (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T21:34:35Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\n`Symfony\\Component\\Yaml\\Parser::cleanup()` strips the optional `%YAML` directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably `\u0027#^%YAML[: ][\\d.]+.*\\n#u\u0027`, whose `[\\d.]+` and `.*` overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized `%YAML` directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.\n\n### Resolution\n\nThe four regexes in `Parser::cleanup()` (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.",
  "id": "GHSA-9frc-8383-795m",
  "modified": "2026-05-27T21:34:36Z",
  "published": "2026-05-27T21:34:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45305.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45305.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2026-45305"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony\u0027s YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
}

GHSA-9H5V-PFQQ-X599

Vulnerability from github – Published: 2026-06-15 20:15 – Updated: 2026-06-15 20:15
VLAI
Summary
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Details

Summary

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:

/ ([\w ]+) miui\/v?\d/i

Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.

PoC

const { UAParser } = require('ua-parser-js');

const headers = {
  'sec-ch-ua-platform': '"Android"',
  'sec-ch-ua-mobile': '?1',
  'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};

const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;

if (ms > 100) {
  console.log('Potential ReDoS');
}

Impact

This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any server-side application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is availability only, there is no confidentiality or integrity impact.

Affected Versions

ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.

Patches

A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.

References

Credits

Thanks to @sondt99, who first reported the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ua-parser-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:15:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615):\n\n```js\n/ ([\\w ]+) miui\\/v?\\d/i\n```\n\nUnlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing.\n\n### PoC\n\n```js\nconst { UAParser } = require(\u0027ua-parser-js\u0027);\n\nconst headers = {\n  \u0027sec-ch-ua-platform\u0027: \u0027\"Android\"\u0027,\n  \u0027sec-ch-ua-mobile\u0027: \u0027?1\u0027,\n  \u0027sec-ch-ua-model\u0027: \u0027\"\u0027 + \u0027A \u0027.repeat(25000) + \u0027\"\u0027\n};\n\nconst t0 = process.hrtime.bigint();\nUAParser(headers).withClientHints();\nconst ms = Number(process.hrtime.bigint() - t0) / 1e6;\n\nif (ms \u003e 100) {\n  console.log(\u0027Potential ReDoS\u0027);\n}\n```\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.\n\n### Affected Versions\n\n`ua-parser-js` versions `\u003e=2.0.1, \u003c=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`.\n\n### Patches\n\nA patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later.\n\n### References\n\n- [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits\n\nThanks to [@sondt99](https://github.com/sondt99), who first reported the issue.",
  "id": "GHSA-9h5v-pfqq-x599",
  "modified": "2026-06-15T20:15:02Z",
  "published": "2026-06-15T20:15:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faisalman/ua-parser-js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.