Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-C9F4-XJ24-8JQX

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2021-09-08 21:59
VLAI
Summary
Regular Expression Denial of Service in uglify-js
Details

Versions of uglify-js prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the parse() method.

Proof of Concept

var u = require('uglify-js');
var genstr = function (len, chr) {
    var result = "";
    for (i=0; i<=len; i++) {
        result = result + chr;
    }

    return result;
}

u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;");

Results

$ time node test.js 10000
real    0m1.091s
user    0m1.047s
sys 0m0.039s

$ time node test.js 80000
real    0m6.486s
user    0m6.229s
sys 0m0.094s

Recommendation

Update to version 2.6.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uglify-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-8858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:30:50Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method.\n\n\n### Proof of Concept\n\n```\nvar u = require(\u0027uglify-js\u0027);\nvar genstr = function (len, chr) {\n    var result = \"\";\n    for (i=0; i\u003c=len; i++) {\n        result = result + chr;\n    }\n\n    return result;\n}\n\nu.parse(\"var a = \" + genstr(process.argv[2], \"1\") + \".1ee7;\");\n```\n\n### Results\n```\n$ time node test.js 10000\nreal\t0m1.091s\nuser\t0m1.047s\nsys\t0m0.039s\n\n$ time node test.js 80000\nreal\t0m6.486s\nuser\t0m6.229s\nsys\t0m0.094s\n```\n\n\n## Recommendation\n\nUpdate to version 2.6.0 or later.",
  "id": "GHSA-c9f4-xj24-8jqx",
  "modified": "2021-09-08T21:59:09Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8858"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-c9f4-xj24-8jqx"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/48"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96409"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in uglify-js"
}

GHSA-C9GM-7RFJ-8W5H

Vulnerability from github – Published: 2022-05-25 00:00 – Updated: 2024-05-03 20:39
VLAI
Summary
Duplicate Advisory: ReDoS via crafted JSON input in GJSON
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-ppj4-34rq-v8j9. This link is maintained to preserve external references.

Original Description

GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tidwall/gjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-42248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-06T21:20:02Z",
    "nvd_published_at": "2022-05-24T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-ppj4-34rq-v8j9. This link is maintained to preserve external references.\n\n## Original Description\nGJSON \u003c= 1.9.2 allows attackers to cause a redos via crafted JSON input.",
  "id": "GHSA-c9gm-7rfj-8w5h",
  "modified": "2024-05-03T20:39:36Z",
  "published": "2022-05-25T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42248"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/issues/236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/issues/237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tidwall/gjson"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: ReDoS via crafted JSON input in GJSON",
  "withdrawn": "2024-05-03T20:39:36Z"
}

GHSA-CC65-XXVF-F7R9

Vulnerability from github – Published: 2024-02-15 15:22 – Updated: 2025-01-14 16:35
VLAI
Summary
Scrapy vulnerable to ReDoS via XMLFeedSpider
Details

Impact

The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack:

  • The XMLFeedSpider class or any subclass that uses the default node iterator: iternodes, as well as direct uses of the scrapy.utils.iterators.xmliter function.

  • Scrapy 2.6.0 to 2.11.0: The open_in_browser function for a response without a base tag.

Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.

Patches

Upgrade to Scrapy 2.11.1.

If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.

Workarounds

For XMLFeedSpider, switch the node iterator to xml or html.

For open_in_browser, before using the function, either manually review the response content to discard a ReDos attack or manually define the base tag to avoid its automatic definition by open_in_browser later.

Acknowledgements

This security issue was reported by @nicecatch2000 through huntr.com.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-1892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-15T15:22:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe following parts of the Scrapy API were found to be vulnerable to a [ReDoS attack](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS):\n\n- The [`XMLFeedSpider`](https://docs.scrapy.org/en/latest/topics/spiders.html#scrapy.spiders.XMLFeedSpider) class or any subclass that uses the default node iterator: `iternodes`, as well as direct uses of the `scrapy.utils.iterators.xmliter` function.\n\n- **Scrapy 2.6.0 to 2.11.0**: The [`open_in_browser`](https://docs.scrapy.org/en/latest/topics/debug.html#scrapy.utils.response.open_in_browser) function for a response without a [base tag](https://www.w3schools.com/tags/tag_base.asp). \n\nHandling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.\n\n### Patches\n\nUpgrade to Scrapy 2.11.1.\n\nIf you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead.\n\n### Workarounds\n\nFor `XMLFeedSpider`, switch the node iterator to ``xml`` or ``html``.\n\nFor `open_in_browser`, before using the function, either manually review the response content to discard a ReDos attack or manually define the base tag to avoid its automatic definition by `open_in_browser` later.\n\n### Acknowledgements\n\nThis security issue was reported by @nicecatch2000  [through huntr.com](https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/).\n",
  "id": "GHSA-cc65-xxvf-f7r9",
  "modified": "2025-01-14T16:35:57Z",
  "published": "2024-02-15T15:22:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/73e7c0ed011a0565a1584b8052ec757b54e5270b"
    },
    {
      "type": "WEB",
      "url": "https://docs.scrapy.org/en/latest/news.html#scrapy-1-8-4-2024-02-14"
    },
    {
      "type": "WEB",
      "url": "https://docs.scrapy.org/en/latest/news.html#scrapy-2-11-1-2024-02-14"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/scrapy/PYSEC-2024-162.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/scrapy/scrapy"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scrapy vulnerable to ReDoS via XMLFeedSpider"
}

GHSA-CG4J-Q9V8-6V38

Vulnerability from github – Published: 2026-03-23 20:52 – Updated: 2026-05-13 16:15
VLAI
Summary
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Details

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

Credit

This issue was responsibly reported by Hackerone researcher scyoon.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activesupport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.1.0.beta1"
            },
            {
              "fixed": "8.1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activesupport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0.beta1"
            },
            {
              "fixed": "8.0.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "activesupport"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33169"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-23T20:52:40Z",
    "nvd_published_at": "2026-03-24T00:16:28Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n`NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.\n\n### Releases\nThe fixed releases are available at the normal locations.\n\n### Credit\nThis issue was responsibly reported by Hackerone researcher [scyoon](https://hackerone.com/scyoon).",
  "id": "GHSA-cg4j-q9v8-6v38",
  "modified": "2026-05-13T16:15:32Z",
  "published": "2026-03-23T20:52:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33169"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/releases/tag/v7.2.3.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/releases/tag/v8.0.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/releases/tag/v8.1.2.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2026-33169.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Rails Active Support has a possible ReDoS vulnerability in number_to_delimited"
}

GHSA-CGFM-XWP7-2CVR

Vulnerability from github – Published: 2022-08-31 00:00 – Updated: 2024-04-22 23:16
VLAI
Summary
Sanitize-html Vulnerable To REDoS Attacks
Details

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "sanitize-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T23:16:47Z",
    "nvd_published_at": "2022-08-30T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.",
  "id": "GHSA-cgfm-xwp7-2cvr",
  "modified": "2024-04-22T23:16:47Z",
  "published": "2022-08-31T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apostrophecms/sanitize-html/pull/557"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sanitize-html Vulnerable To REDoS Attacks"
}

GHSA-CH52-VGQ2-943F

Vulnerability from github – Published: 2020-09-03 18:15 – Updated: 2020-08-31 18:46
VLAI
Summary
Regular Expression Denial of Service in marked
Details

Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input.

Recommendation

Upgrade to version 0.7.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "marked"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:46:28Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Affected versions of `marked` are vulnerable to Regular Expression Denial of Service (ReDoS). The `_label` subrule may significantly degrade parsing performance of malformed input.\n\n\n## Recommendation\n\nUpgrade to version 0.7.0 or later.",
  "id": "GHSA-ch52-vgq2-943f",
  "modified": "2020-08-31T18:46:28Z",
  "published": "2020-09-03T18:15:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/1076"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in marked"
}

GHSA-CHRC-Q6V3-JFV8

Vulnerability from github – Published: 2023-05-24 18:30 – Updated: 2023-05-24 21:56
VLAI
Summary
Liferay Portal has Inefficient Regular Expression
Details

Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.3.48"
            },
            {
              "fixed": "7.4.3.77"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T21:56:12Z",
    "nvd_published_at": "2023-05-24T17:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.",
  "id": "GHSA-chrc-q6v3-jfv8",
  "modified": "2023-05-24T21:56:12Z",
  "published": "2023-05-24T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33950"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal has Inefficient Regular Expression"
}

GHSA-CHW2-6C7R-37P7

Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2023-03-20 20:09
VLAI
Summary
uri-template-lite Regular Expression Denial of Service
Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the "URI.expand" method.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uri-template-lite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "22.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-01T22:21:35Z",
    "nvd_published_at": "2022-08-24T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the \"URI.expand\" method.",
  "id": "GHSA-chw2-6c7r-37p7",
  "modified": "2023-03-20T20:09:43Z",
  "published": "2022-08-25T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litejs/uri-template-lite/commit/cbeec2b2a275d819fb534137a155df14729706f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/litejs/uri-template-lite"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litejs/uri-template-lite/commits/v22.9.0"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/uri-template-lite-redos-xray-211351"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "uri-template-lite Regular Expression Denial of Service"
}

GHSA-CJ83-2WW7-MVQ7

Vulnerability from github – Published: 2024-07-03 17:03 – Updated: 2024-11-05 18:12
VLAI
Summary
Rack ReDoS Vulnerability in HTTP Accept Headers Parsing
Details

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted Accept-Encoding or Accept-Language headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).

Details

The fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-03T17:03:45Z",
    "nvd_published_at": "2024-07-02T16:15:04Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).\n\n### Details\n\nThe fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.",
  "id": "GHSA-cj83-2ww7-mvq7",
  "modified": "2024-11-05T18:12:49Z",
  "published": "2024-07-03T17:03:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058"
    },
    {
      "type": "WEB",
      "url": "https://advisory.dw1.io/61"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rack ReDoS Vulnerability in HTTP Accept Headers Parsing"
}

GHSA-CJ88-88MR-972W

Vulnerability from github – Published: 2022-07-18 17:03 – Updated: 2025-04-14 22:13
VLAI
Summary
glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service
Details

glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.

This vulnerability is separate from GHSA-ww39-953v-wcq6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "glob-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "6.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-35065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-18T17:03:23Z",
    "nvd_published_at": "2022-12-26T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.\n\nThis vulnerability is separate from [GHSA-ww39-953v-wcq6](https://github.com/advisories/GHSA-ww39-953v-wcq6).",
  "id": "GHSA-cj88-88mr-972w",
  "modified": "2025-04-14T22:13:25Z",
  "published": "2022-07-18T17:03:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gulpjs/glob-parent/pull/49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gulpjs/glob-parent/commit/32f6d52663b7addac38d0dff570d8127edf03f47"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gulpjs/glob-parent"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gulpjs/glob-parent/releases/tag/v6.0.1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230214-0010"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
    },
    {
      "type": "WEB",
      "url": "https://www.mend.io/vulnerability-database/CVE-2021-35065"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.