CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
732 vulnerabilities reference this CWE, most recent first.
GHSA-C2C7-RCM5-VVQJ
Vulnerability from github – Published: 2026-03-25 21:12 – Updated: 2026-03-27 21:36Impact
picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.
Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook.
Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.
Patches
This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.
Users should upgrade to one of these versions or later, depending on their supported release line.
Workarounds
If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch.
Possible mitigations include:
- disable extglob support for untrusted patterns by using noextglob: true
- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *()
- enforce strict allowlists for accepted pattern syntax
- run matching in an isolated worker or separate process with time and resource limits
- apply application-level request throttling and input validation for any endpoint that accepts glob patterns
Resources
- Picomatch repository: https://github.com/micromatch/picomatch
lib/parse.jsandlib/constants.jsare involved in generating the vulnerable regex forms- Comparable ReDoS precedent: CVE-2024-4067 (
micromatch) - Comparable generated-regex precedent: CVE-2024-45296 (
path-to-regexp)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "picomatch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33671"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-25T21:12:07Z",
"nvd_published_at": "2026-03-26T22:16:30Z",
"severity": "HIGH"
},
"details": "### Impact\n`picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input.\n\nExamples of problematic patterns include `+(a|aa)`, `+(*|?)`, `+(+(a))`, `*(+(a))`, and `+(+(+(a)))`. In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, `+(a|aa)` compiled to `^(?:(?=.)(?:a|aa)+)$` and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as `+(+(a))` and `*(+(a))` took around 29 seconds to reject a 33-character input on a modern M1 MacBook.\n\nApplications are impacted when they allow untrusted users to supply glob patterns that are passed to `picomatch` for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way.\n\n### Patches\nThis issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2.\n\nUsers should upgrade to one of these versions or later, depending on their supported release line.\n\n### Workarounds\nIf upgrading is not immediately possible, avoid passing untrusted glob patterns to `picomatch`.\n\nPossible mitigations include:\n- disable extglob support for untrusted patterns by using `noextglob: true`\n- reject or sanitize patterns containing nested extglobs or extglob quantifiers such as `+()` and `*()`\n- enforce strict allowlists for accepted pattern syntax\n- run matching in an isolated worker or separate process with time and resource limits\n- apply application-level request throttling and input validation for any endpoint that accepts glob patterns\n\n### Resources\n- Picomatch repository: https://github.com/micromatch/picomatch\n- `lib/parse.js` and `lib/constants.js` are involved in generating the vulnerable regex forms\n- Comparable ReDoS precedent: CVE-2024-4067 (`micromatch`)\n- Comparable generated-regex precedent: CVE-2024-45296 (`path-to-regexp`)",
"id": "GHSA-c2c7-rcm5-vvqj",
"modified": "2026-03-27T21:36:13Z",
"published": "2026-03-25T21:12:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33671"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d"
},
{
"type": "PACKAGE",
"url": "https://github.com/micromatch/picomatch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Picomatch has a ReDoS vulnerability via extglob quantifiers"
}
GHSA-C2JC-4FPR-4VHG
Vulnerability from github – Published: 2023-02-08 22:38 – Updated: 2023-02-08 22:38Impact
User-provided strings to formula's parser might lead to polynomial execution time.
Patches
Users should upgrade to 3.0.1+.
Workarounds
None.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sideway/formula"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-25166"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T22:38:10Z",
"nvd_published_at": "2023-02-08T20:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nUser-provided strings to formula\u0027s parser might lead to polynomial execution time.\n\n### Patches\n\nUsers should upgrade to 3.0.1+.\n\n### Workarounds\n\nNone.",
"id": "GHSA-c2jc-4fpr-4vhg",
"modified": "2023-02-08T22:38:10Z",
"published": "2023-02-08T22:38:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25166"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapijs/formula"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability"
}
GHSA-C2P3-7M5P-CV8X
Vulnerability from github – Published: 2026-05-27 21:33 – Updated: 2026-05-27 21:33Description
Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse(). When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (Parser::parseBlock()) and inline (Inline::parseSequence() / Inline::parseMapping()) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.
Resolution
The Parser now tracks recursion depth in a shared ParserState object across both block-level and inline parsing, with a default limit of 128. The limit is configurable via a new $maxNestingLevel argument on Parser::__construct(), Yaml::parse() and Yaml::parseFile().
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45133"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-674",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:33:07Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`Symfony\\Component\\Yaml\\Parser` is the entry point for parsing YAML strings into PHP values via `Yaml::parse()`. When the parser is exposed to attacker-controlled input, deeply nested mappings or sequences cause both the block-level (`Parser::parseBlock()`) and inline (`Inline::parseSequence()` / `Inline::parseMapping()`) parsers to recurse without a depth limit. A crafted document exhausts the PHP stack and crashes the worker.\n\n### Resolution\n\nThe `Parser` now tracks recursion depth in a shared `ParserState` object across both block-level and inline parsing, with a default limit of **128**. The limit is configurable via a new `$maxNestingLevel` argument on `Parser::__construct()`, `Yaml::parse()` and `Yaml::parseFile()`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.",
"id": "GHSA-c2p3-7m5p-cv8x",
"modified": "2026-05-27T21:33:07Z",
"published": "2026-05-27T21:33:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-c2p3-7m5p-cv8x"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/914f427ed9630ddb3904dafba763e53d9f133fe3"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45133.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45133.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45133"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony hardened the parser when handling untrusted input"
}
GHSA-C2QF-RXJJ-QQGW
Vulnerability from github – Published: 2023-06-21 06:30 – Updated: 2026-02-04 20:39Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "semver"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "semver"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "semver"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-alpha"
},
{
"fixed": "5.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25883"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-22T16:52:56Z",
"nvd_published_at": "2023-06-21T05:15:09Z",
"severity": "HIGH"
},
"details": "Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.",
"id": "GHSA-c2qf-rxjj-qqgw",
"modified": "2026-02-04T20:39:09Z",
"published": "2023-06-21T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/pull/564"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/pull/585"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/pull/593"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c"
},
{
"type": "PACKAGE",
"url": "https://github.com/npm/node-semver"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138"
},
{
"type": "WEB",
"url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241025-0004"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "semver vulnerable to Regular Expression Denial of Service"
}
GHSA-C2WF-8J59-JJHC
Vulnerability from github – Published: 2024-04-25 12:30 – Updated: 2024-04-25 12:30An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-2829"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-25T11:15:46Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service.",
"id": "GHSA-c2wf-8j59-jjhc",
"modified": "2024-04-25T12:30:50Z",
"published": "2024-04-25T12:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2829"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2416728"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/451456"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C33W-24P9-8M24
Vulnerability from github – Published: 2023-04-03 06:30 – Updated: 2024-12-16 22:46All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)((.)). Note:* This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "configobj"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26112"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-04T21:40:45Z",
"nvd_published_at": "2023-04-03T05:15:00Z",
"severity": "LOW"
},
"details": "All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\\((.*)\\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.",
"id": "GHSA-c33w-24p9-8m24",
"modified": "2024-12-16T22:46:10Z",
"published": "2023-04-03T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26112"
},
{
"type": "WEB",
"url": "https://github.com/DiffSK/configobj/issues/232"
},
{
"type": "WEB",
"url": "https://github.com/DiffSK/configobj/commit/7c618b0bbaff6ecaca51a6f05b29795d1377a4a5"
},
{
"type": "PACKAGE",
"url": "https://github.com/DiffSK/configobj"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6BO4RLMYEJODCNUE3DJIIUUFVTPAG6VN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NZHY7B33EFY4LESP2NI4APQUPRROTAZK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PYU4IHVLOTYMFPH7KDOJGKZQR4GKWPFK"
},
{
"type": "WEB",
"url": "https://pypi.org/project/configobj/5.0.9"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "configobj ReDoS exploitable by developer using values in a server-side configuration file"
}
GHSA-C3PH-4HJ5-R598
Vulnerability from github – Published: 2024-06-27 00:31 – Updated: 2024-06-27 00:31An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server
{
"affected": [],
"aliases": [
"CVE-2024-1493"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-27T00:15:10Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server",
"id": "GHSA-c3ph-4hj5-r598",
"modified": "2024-06-27T00:31:04Z",
"published": "2024-06-27T00:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1493"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2370084"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/441806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C4RQ-3M3G-8WGX
Vulnerability from github – Published: 2026-05-06 18:24 – Updated: 2026-05-06 18:24Summary
Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:
- String-literal tokenization on certain unterminated quoted-string input.
- String-literal tokenization on a separate class of hex-escape-rich input.
- Identifier tokenization on hex-escape-rich input.
The public CSS selector methods that funnel through the affected tokenizer are Nokogiri::CSS.xpath_for, Node#css, Node#at_css, Searchable#search, and CSS::Parser#parse.
Mitigation
Upgrade to Nokogiri >= 1.19.3.
If users are unable to upgrade, two options are available:
- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.
- Set global
Regexp.timeout(Ruby 3.2+, JRuby 9.4+) to bound parse time.
Severity
The Nokogiri maintainers have evaluated this as High Severity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.
Resources
Credit
Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.19.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T18:24:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nNokogiri\u0027s CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:\n\n1. String-literal tokenization on certain unterminated quoted-string input.\n2. String-literal tokenization on a separate class of hex-escape-rich input.\n3. Identifier tokenization on hex-escape-rich input.\n\nThe public CSS selector methods that funnel through the affected tokenizer are `Nokogiri::CSS.xpath_for`, `Node#css`, `Node#at_css`, `Searchable#search`, and `CSS::Parser#parse`.\n\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.19.3`.\n\nIf users are unable to upgrade, two options are available:\n\n- Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.\n- Set global `Regexp.timeout` (Ruby 3.2+, JRuby 9.4+) to bound parse time.\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as **High Severity** (CVSS 7.5, `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`).\n\nAn attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.\n\n\n## Resources\n\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n\n\n## Credit\n\nVector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.",
"id": "GHSA-c4rq-3m3g-8wgx",
"modified": "2026-05-06T18:24:18Z",
"published": "2026-05-06T18:24:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nokogiri CSS selector tokenizer has regular expression backtracking"
}
GHSA-C6HR-W26Q-C636
Vulnerability from github – Published: 2026-03-02 22:17 – Updated: 2026-03-19 18:33Summary
extensions/feishu/src/bot.ts constructed new RegExp() directly from Feishu mention metadata (mention.name, mention.key) in stripBotMention() without escaping regex metacharacters.
Affected Packages / Versions
- Package: npm
openclaw - Affected versions:
<= 2026.2.17 - First affected release:
2026.2.6 - Patched version:
2026.2.19
Impact
- ReDoS: crafted nested-quantifier patterns in mention metadata can trigger catastrophic backtracking and block message processing.
- Regex injection: metacharacters in mention metadata can remove unintended message content before it is sent to the model.
Fix Commit(s)
7e67ab75cc2f0e93569d12fecd1411c2961fcc8c74268489137510b6f6349919d1e197b17290d92c
Thanks @allsmog for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22178"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T22:17:30Z",
"nvd_published_at": "2026-03-18T02:16:22Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`extensions/feishu/src/bot.ts` constructed `new RegExp()` directly from Feishu mention metadata (`mention.name`, `mention.key`) in `stripBotMention()` without escaping regex metacharacters.\n\n## Affected Packages / Versions\n\n- Package: npm `openclaw`\n- Affected versions: `\u003c= 2026.2.17`\n- First affected release: `2026.2.6`\n- Patched version: `2026.2.19`\n\n## Impact\n\n- ReDoS: crafted nested-quantifier patterns in mention metadata can trigger catastrophic backtracking and block message processing.\n- Regex injection: metacharacters in mention metadata can remove unintended message content before it is sent to the model.\n\n## Fix Commit(s)\n\n- `7e67ab75cc2f0e93569d12fecd1411c2961fcc8c`\n- `74268489137510b6f6349919d1e197b17290d92c`\n\nThanks @allsmog for reporting.",
"id": "GHSA-c6hr-w26q-c636",
"modified": "2026-03-19T18:33:51Z",
"published": "2026-03-02T22:17:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22178"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7e67ab75cc2f0e93569d12fecd1411c2961fcc8c"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction"
}
GHSA-C8HV-77R5-H5F7
Vulnerability from github – Published: 2026-07-13 09:31 – Updated: 2026-07-13 09:31Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658
{
"affected": [],
"aliases": [
"CVE-2026-6850"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T09:16:24Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 11.7.x \u003c= 11.7.2, 11.6.x \u003c= 11.6.4, 10.11.x \u003c= 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload that triggers catastrophic backtracking in the client-side markdown parser.. Mattermost Advisory ID: MMSA-2026-00658",
"id": "GHSA-c8hv-77r5-h5f7",
"modified": "2026-07-13T09:31:43Z",
"published": "2026-07-13T09:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6850"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.