Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-CJW9-GHJ4-FWXF

Vulnerability from github – Published: 2026-04-09 16:41 – Updated: 2026-04-09 19:05
VLAI
Summary
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
Details

⚠️ IMPORTANT CLARIFICATIONS

### Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud: /^(a+)+X$/ ← VULNERABLE - Example: allowedAud: "api.company.com" ← SAFE

### Not Affected - Applications using string patterns for audience validation (most common) - Applications using safe RegExp patterns without nested quantifiers - Default fast-jwt configurations

### Assessment Guide To determine if you're affected: 1. Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (/pattern/ or new RegExp()) 2. If yes, review the pattern for nested quantifiers like (a+)+, (.*)*, etc. 3. If no RegExp usage, you are NOT affected


Summary

A denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression.

Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.

This occurs with a validly signed JWT, making the issue exploitable in authenticated contexts such as:

  • API gateways

  • authentication middleware

  • service-to-service communication

  • OAuth / OIDC token validation pipelines


Affected Component

  • Library: fast-jwt

  • Version tested: 6.1.0

  • Runtime: Node.js v24.13.1

  • Feature: claim validation using allowedAud: RegExp


Impact

CPU exhaustion / Denial of Service

A crafted JWT causes verification to take multiple seconds per request due to catastrophic regex backtracking.

Measured verification times

Input size (n) | Verification time -- | -- 24 | ~123 ms 28 | ~1.97 s 30 | ~7.85 s

This is sufficient to:

  • block Node.js event loop threads

  • degrade API throughput

  • cause cascading service failures

  • increase serverless execution costs

  • saturate authentication infrastructure


Root Cause

The library allows regular expressions in claim validation:

















allowedAud: /^(a+)+X$/

The aud claim is attacker-controlled:

















aud = "a".repeat(n) + "Y"

This creates catastrophic backtracking in the JavaScript regex engine.

Verification time grows exponentially as input length increases.


Exploitability

Attack requires:

  • a valid signed JWT (post-authentication context)

  • attacker control over the aud claim

  • a vulnerable regex configured by the application

Common real-world scenarios

  • shared HS secrets

  • internal JWT issuance

  • microservice authentication

  • OAuth / OIDC custom audiences

  • internal service tokens


Proof of Concept

Reproduction steps

  1. Install fast-jwt

  2. Configure verifier with a RegExp in allowedAud

  3. Send a valid signed JWT with adversarial aud

Attached artifacts

  • poc-suite-redos-fastjwt.js

  • evidence-redos-fastjwt.json

Observed behavior

Verification CPU time increases from milliseconds to multiple seconds as input length grows.


Security Classification

  • CWE-1333: Inefficient Regular Expression

  • CWE-400: Uncontrolled Resource Consumption

  • Class: Authenticated Denial of Service


Expected Behavior

The library should prevent unbounded CPU work on attacker-controlled claims.

Possible mitigations

  • safe-regex validation

  • maximum length enforcement for claims

  • regex complexity limits

  • documentation warning about ReDoS risks when using RegExp-based validation


Notes

Signature verification occurs before claim validation, therefore this is not a pre-authentication DoS.

However, the vulnerability remains exploitable in authenticated or token-bearing contexts and can significantly impact production environments.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fast-jwt"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "6.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T16:41:40Z",
    "nvd_published_at": "2026-04-09T16:16:27Z",
    "severity": "MODERATE"
  },
  "details": "## \u26a0\ufe0f IMPORTANT CLARIFICATIONS\n\n  ### Affected Configurations\n  This vulnerability ONLY affects applications that:\n  - Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options\n  - Configure patterns susceptible to catastrophic backtracking\n  - Example: `allowedAud: /^(a+)+X$/` \u2190 VULNERABLE\n  - Example: `allowedAud: \"api.company.com\"` \u2190 SAFE\n\n  ### Not Affected\n  - Applications using string patterns for audience validation (most common)\n  - Applications using safe RegExp patterns without nested quantifiers\n  - Default fast-jwt configurations\n\n  ### Assessment Guide\n  To determine if you\u0027re affected:\n  1. Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (`/pattern/` or `new RegExp()`)\n  2. If yes, review the pattern for nested quantifiers like `(a+)+`, `(.*)*`, etc.\n  3. If no RegExp usage, you are NOT affected\n\n------\n\n\u003chtml\u003e\n\u003cbody\u003e\n\u003c!--StartFragment--\u003e\u003ch2 data-start=\"218\" data-end=\"228\"\u003eSummary\u003c/h2\u003e\n\u003cp data-start=\"230\" data-end=\"364\"\u003eA denial-of-service condition exists in \u003ccode data-start=\"270\" data-end=\"280\"\u003efast-jwt\u003c/code\u003e when the \u003ccode data-start=\"290\" data-end=\"302\"\u003eallowedAud\u003c/code\u003e verification option is configured using a regular expression.\u003c/p\u003e\n\u003cp data-start=\"366\" data-end=\"618\"\u003eBecause the \u003ccode data-start=\"378\" data-end=\"383\"\u003eaud\u003c/code\u003e claim is attacker-controlled and the library evaluates it against the supplied \u003ccode data-start=\"463\" data-end=\"471\"\u003eRegExp\u003c/code\u003e, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.\u003c/p\u003e\n\u003cp data-start=\"620\" data-end=\"726\"\u003eThis occurs with a \u003cstrong data-start=\"639\" data-end=\"661\"\u003evalidly signed JWT\u003c/strong\u003e, making the issue exploitable in authenticated contexts such as:\u003c/p\u003e\n\u003cul data-start=\"728\" data-end=\"855\"\u003e\n\u003cli data-start=\"728\" data-end=\"744\"\u003e\n\u003cp data-start=\"730\" data-end=\"744\"\u003eAPI gateways\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"745\" data-end=\"774\"\u003e\n\u003cp data-start=\"747\" data-end=\"774\"\u003eauthentication middleware\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"775\" data-end=\"811\"\u003e\n\u003cp data-start=\"777\" data-end=\"811\"\u003eservice-to-service communication\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"812\" data-end=\"855\"\u003e\n\u003cp data-start=\"814\" data-end=\"855\"\u003eOAuth / OIDC token validation pipelines\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"857\" data-end=\"860\"\u003e\n\u003ch2 data-start=\"862\" data-end=\"883\"\u003eAffected Component\u003c/h2\u003e\n\u003cul data-start=\"885\" data-end=\"1035\"\u003e\n\u003cli data-start=\"885\" data-end=\"910\"\u003e\n\u003cp data-start=\"887\" data-end=\"910\"\u003e\u003cstrong data-start=\"887\" data-end=\"899\"\u003eLibrary:\u003c/strong\u003e fast-jwt\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"911\" data-end=\"940\"\u003e\n\u003cp data-start=\"913\" data-end=\"940\"\u003e\u003cstrong data-start=\"913\" data-end=\"932\"\u003eVersion tested:\u003c/strong\u003e 6.1.0\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"941\" data-end=\"974\"\u003e\n\u003cp data-start=\"943\" data-end=\"974\"\u003e\u003cstrong data-start=\"943\" data-end=\"955\"\u003eRuntime:\u003c/strong\u003e Node.js v24.13.1\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"975\" data-end=\"1035\"\u003e\n\u003cp data-start=\"977\" data-end=\"1035\"\u003e\u003cstrong data-start=\"977\" data-end=\"989\"\u003eFeature:\u003c/strong\u003e claim validation using \u003ccode data-start=\"1013\" data-end=\"1033\"\u003eallowedAud: RegExp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"1037\" data-end=\"1040\"\u003e\n\u003ch2 data-start=\"1042\" data-end=\"1051\"\u003eImpact\u003c/h2\u003e\n\u003cp data-start=\"1053\" data-end=\"1091\"\u003e\u003cstrong data-start=\"1053\" data-end=\"1091\"\u003eCPU exhaustion / Denial of Service\u003c/strong\u003e\u003c/p\u003e\n\u003cp data-start=\"1093\" data-end=\"1203\"\u003eA crafted JWT causes verification to take multiple seconds per request due to catastrophic regex backtracking.\u003c/p\u003e\n\u003ch3 data-start=\"1205\" data-end=\"1236\"\u003eMeasured verification times\u003c/h3\u003e\n\u003cdiv class=\"TyagGW_tableContainer\"\u003e\u003cdiv tabindex=\"-1\" class=\"group TyagGW_tableWrapper flex flex-col-reverse w-fit\"\u003e\nInput size (n) | Verification time\n-- | --\n24 | ~123 ms\n28 | ~1.97 s\n30 | ~7.85 s\n\n\u003c/div\u003e\u003c/div\u003e\n\u003cp data-start=\"1339\" data-end=\"1361\"\u003eThis is sufficient to:\u003c/p\u003e\n\u003cul data-start=\"1363\" data-end=\"1546\"\u003e\n\u003cli data-start=\"1363\" data-end=\"1399\"\u003e\n\u003cp data-start=\"1365\" data-end=\"1399\"\u003eblock Node.js event loop threads\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1400\" data-end=\"1426\"\u003e\n\u003cp data-start=\"1402\" data-end=\"1426\"\u003edegrade API throughput\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1427\" data-end=\"1463\"\u003e\n\u003cp data-start=\"1429\" data-end=\"1463\"\u003ecause cascading service failures\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1464\" data-end=\"1503\"\u003e\n\u003cp data-start=\"1466\" data-end=\"1503\"\u003eincrease serverless execution costs\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1504\" data-end=\"1546\"\u003e\n\u003cp data-start=\"1506\" data-end=\"1546\"\u003esaturate authentication infrastructure\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"1548\" data-end=\"1551\"\u003e\n\u003ch2 data-start=\"1553\" data-end=\"1566\"\u003eRoot Cause\u003c/h2\u003e\n\u003cp data-start=\"1568\" data-end=\"1627\"\u003eThe library allows regular expressions in claim validation:\u003c/p\u003e\n\u003cpre class=\"overflow-visible! px-0!\" data-start=\"1629\" data-end=\"1661\"\u003e\u003cdiv class=\"w-full my-4\"\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"relative\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl\"\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-4 top-12 bottom-4\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-border-light\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-px top-0 bottom-96\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-bg-elevated-secondary\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary\"\u003e\u003cdiv class=\"relative z-0 flex max-w-full\"\u003e\u003cdiv id=\"code-block-viewer\" dir=\"ltr\" class=\"q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch \u037cd \u037cr\"\u003e\u003cdiv class=\"cm-scroller\"\u003e\u003cdiv class=\"cm-content q9tKkq_readonly\"\u003e\u003cspan class=\"\u037co\"\u003eallowedAud\u003c/span\u003e\u003cspan\u003e: \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e/^(a+)+X$/\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\n\u003cp data-start=\"1663\" data-end=\"1702\"\u003eThe \u003ccode data-start=\"1667\" data-end=\"1672\"\u003eaud\u003c/code\u003e claim is attacker-controlled:\u003c/p\u003e\n\u003cpre class=\"overflow-visible! px-0!\" data-start=\"1704\" data-end=\"1739\"\u003e\u003cdiv class=\"w-full my-4\"\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"relative\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl\"\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-4 top-12 bottom-4\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-border-light\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-px top-0 bottom-96\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-bg-elevated-secondary\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary\"\u003e\u003cdiv class=\"relative z-0 flex max-w-full\"\u003e\u003cdiv id=\"code-block-viewer\" dir=\"ltr\" class=\"q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch \u037cd \u037cr\"\u003e\u003cdiv class=\"cm-scroller\"\u003e\u003cdiv class=\"cm-content q9tKkq_readonly\"\u003e\u003cspan class=\"\u037cm\"\u003eaud\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e=\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e\"a\"\u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e.\u003c/span\u003e\u003cspan\u003erepeat(\u003c/span\u003e\u003cspan class=\"\u037cm\"\u003en\u003c/span\u003e\u003cspan\u003e) \u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e+\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e\"Y\"\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\n\u003cp data-start=\"1741\" data-end=\"1811\"\u003eThis creates catastrophic backtracking in the JavaScript regex engine.\u003c/p\u003e\n\u003cp data-start=\"1813\" data-end=\"1881\"\u003eVerification time grows \u003cstrong data-start=\"1837\" data-end=\"1854\"\u003eexponentially\u003c/strong\u003e as input length increases.\u003c/p\u003e\n\u003chr data-start=\"1883\" data-end=\"1886\"\u003e\n\u003ch2 data-start=\"1888\" data-end=\"1905\"\u003eExploitability\u003c/h2\u003e\n\u003cp data-start=\"1907\" data-end=\"1923\"\u003eAttack requires:\u003c/p\u003e\n\u003cul data-start=\"1925\" data-end=\"2066\"\u003e\n\u003cli data-start=\"1925\" data-end=\"1975\"\u003e\n\u003cp data-start=\"1927\" data-end=\"1975\"\u003ea valid signed JWT (post-authentication context)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1976\" data-end=\"2015\"\u003e\n\u003cp data-start=\"1978\" data-end=\"2015\"\u003eattacker control over the \u003ccode data-start=\"2004\" data-end=\"2009\"\u003eaud\u003c/code\u003e claim\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2016\" data-end=\"2066\"\u003e\n\u003cp data-start=\"2018\" data-end=\"2066\"\u003ea vulnerable regex configured by the application\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 data-start=\"2068\" data-end=\"2099\"\u003eCommon real-world scenarios\u003c/h3\u003e\n\u003cul data-start=\"2101\" data-end=\"2232\"\u003e\n\u003cli data-start=\"2101\" data-end=\"2120\"\u003e\n\u003cp data-start=\"2103\" data-end=\"2120\"\u003eshared HS secrets\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2121\" data-end=\"2144\"\u003e\n\u003cp data-start=\"2123\" data-end=\"2144\"\u003einternal JWT issuance\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2145\" data-end=\"2174\"\u003e\n\u003cp data-start=\"2147\" data-end=\"2174\"\u003emicroservice authentication\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2175\" data-end=\"2206\"\u003e\n\u003cp data-start=\"2177\" data-end=\"2206\"\u003eOAuth / OIDC custom audiences\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2207\" data-end=\"2232\"\u003e\n\u003cp data-start=\"2209\" data-end=\"2232\"\u003einternal service tokens\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"2234\" data-end=\"2237\"\u003e\n\u003ch2 data-start=\"2239\" data-end=\"2258\"\u003eProof of Concept\u003c/h2\u003e\n\u003ch3 data-start=\"2260\" data-end=\"2282\"\u003eReproduction steps\u003c/h3\u003e\n\u003col data-start=\"2284\" data-end=\"2407\"\u003e\n\u003cli data-start=\"2284\" data-end=\"2305\"\u003e\n\u003cp data-start=\"2287\" data-end=\"2305\"\u003eInstall \u003ccode data-start=\"2295\" data-end=\"2305\"\u003efast-jwt\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2306\" data-end=\"2357\"\u003e\n\u003cp data-start=\"2309\" data-end=\"2357\"\u003eConfigure verifier with a RegExp in \u003ccode data-start=\"2345\" data-end=\"2357\"\u003eallowedAud\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2358\" data-end=\"2407\"\u003e\n\u003cp data-start=\"2361\" data-end=\"2407\"\u003eSend a valid signed JWT with adversarial \u003ccode data-start=\"2402\" data-end=\"2407\"\u003eaud\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 data-start=\"2409\" data-end=\"2431\"\u003eAttached artifacts\u003c/h3\u003e\n\u003cul data-start=\"2433\" data-end=\"2495\"\u003e\n\u003cli data-start=\"2433\" data-end=\"2463\"\u003e\n\u003cp data-start=\"2435\" data-end=\"2463\"\u003e\u003ccode data-start=\"2435\" data-end=\"2463\"\u003epoc-suite-redos-fastjwt.js\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2464\" data-end=\"2495\"\u003e\n\u003cp data-start=\"2466\" data-end=\"2495\"\u003e\u003ccode data-start=\"2466\" data-end=\"2495\"\u003eevidence-redos-fastjwt.json\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 data-start=\"2497\" data-end=\"2518\"\u003eObserved behavior\u003c/h3\u003e\n\u003cp data-start=\"2520\" data-end=\"2612\"\u003eVerification CPU time increases from milliseconds to multiple seconds as input length grows.\u003c/p\u003e\n\u003chr data-start=\"2614\" data-end=\"2617\"\u003e\n\u003ch2 data-start=\"2619\" data-end=\"2645\"\u003eSecurity Classification\u003c/h2\u003e\n\u003cul data-start=\"2647\" data-end=\"2793\"\u003e\n\u003cli data-start=\"2647\" data-end=\"2695\"\u003e\n\u003cp data-start=\"2649\" data-end=\"2695\"\u003e\u003cstrong data-start=\"2649\" data-end=\"2662\"\u003eCWE-1333:\u003c/strong\u003e Inefficient Regular Expression\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2696\" data-end=\"2746\"\u003e\n\u003cp data-start=\"2698\" data-end=\"2746\"\u003e\u003cstrong data-start=\"2698\" data-end=\"2710\"\u003eCWE-400:\u003c/strong\u003e Uncontrolled Resource Consumption\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2747\" data-end=\"2793\"\u003e\n\u003cp data-start=\"2749\" data-end=\"2793\"\u003e\u003cstrong data-start=\"2749\" data-end=\"2759\"\u003eClass:\u003c/strong\u003e Authenticated Denial of Service\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"2795\" data-end=\"2798\"\u003e\n\u003ch2 data-start=\"2800\" data-end=\"2820\"\u003eExpected Behavior\u003c/h2\u003e\n\u003cp data-start=\"2822\" data-end=\"2898\"\u003eThe library should prevent unbounded CPU work on attacker-controlled claims.\u003c/p\u003e\n\u003ch3 data-start=\"2900\" data-end=\"2924\"\u003ePossible mitigations\u003c/h3\u003e\n\u003cul data-start=\"2926\" data-end=\"3092\"\u003e\n\u003cli data-start=\"2926\" data-end=\"2949\"\u003e\n\u003cp data-start=\"2928\" data-end=\"2949\"\u003esafe-regex validation\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2950\" data-end=\"2989\"\u003e\n\u003cp data-start=\"2952\" data-end=\"2989\"\u003emaximum length enforcement for claims\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2990\" data-end=\"3015\"\u003e\n\u003cp data-start=\"2992\" data-end=\"3015\"\u003eregex complexity limits\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"3016\" data-end=\"3092\"\u003e\n\u003cp data-start=\"3018\" data-end=\"3092\"\u003edocumentation warning about ReDoS risks when using RegExp-based validation\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"3094\" data-end=\"3097\"\u003e\n\u003ch2 data-start=\"3099\" data-end=\"3107\"\u003eNotes\u003c/h2\u003e\n\u003cp data-start=\"3109\" data-end=\"3215\"\u003eSignature verification occurs before claim validation, therefore this is \u003cstrong data-start=\"3182\" data-end=\"3214\"\u003enot a pre-authentication DoS\u003c/strong\u003e.\u003c/p\u003e\n\u003cp data-start=\"3217\" data-end=\"3360\"\u003eHowever, the vulnerability remains exploitable in authenticated or token-bearing contexts and can significantly impact production environments.\u003c/p\u003e\u003c!--EndFragment--\u003e\n\u003c/body\u003e\n\u003c/html\u003e",
  "id": "GHSA-cjw9-ghj4-fwxf",
  "modified": "2026-04-09T19:05:16Z",
  "published": "2026-04-09T16:41:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/pull/595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nearform/fast-jwt"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification"
}

GHSA-CMCX-XHR8-3W9P

Vulnerability from github – Published: 2020-02-20 23:26 – Updated: 2024-02-08 22:49
VLAI
Summary
Denial of Service in uap-core when processing crafted User-Agent strings
Details

Impact

Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.

Patches

Please update uap-core to >= v0.7.3

Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.

Details

Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.

Regex 1:

\bSmartWatch *\( *([^;]+) *; *([^;]+) *;

is vulnerable in portion *([^;]+) * and can be attacked with

"SmartWatch(" + (" " * 3500) + "z"

e.g.

SmartWatch(                                   z

Regex 2:

; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)

is vulnerable in portion \d+[^\);]+[^\);]* and can be attacked with

";A Build HuaweiA" + ("4" * 3500) + "z"

Regex 3:

(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\)

is vulnerable in portion *([^;]*) * and can be attacked with

"HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z"

Regex 4:

(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;

is vulnerable in portions *(?:CUS:([^;]*)|([^;]+)) * and *([^;]*) * and can be attacked with

"HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;z;" + (" " * 3500) + "z"

Reported by Ben Caller @bcaller

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uap-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "user_agent_parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-20T23:09:32Z",
    "nvd_published_at": "2020-02-21T00:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nSome regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.\n\n### Patches\n\nPlease update uap-core to \u0026amp;amp;gt;= v0.7.3\n\nDownstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.\n\n### Details\n\nEach vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.\n\n#### Regex 1:\n\n```\n\\bSmartWatch *\\( *([^;]+) *; *([^;]+) *;\n```\n\nis vulnerable in portion ` *([^;]+) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;SmartWatch(\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\ne.g.\n```\nSmartWatch(                                   z\n```\n\n\n#### Regex 2:\n\n```\n; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\\d+[^\\);]+)[^\\);]*\\)\n```\n\nis vulnerable in portion `\\d+[^\\);]+[^\\);]*` and can be attacked with\n\n```python\n\u0026amp;amp;quot;;A Build HuaweiA\u0026amp;amp;quot; + (\u0026amp;amp;quot;4\u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\n\n#### Regex 3:\n\n```\n(HbbTV)/[0-9]+\\.[0-9]+\\.[0-9]+ \\([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\\)\n```\n\nis vulnerable in portion ` *([^;]*) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;HbbTV/0.0.0 (;LGE;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\n#### Regex 4:\n\n```\n(HbbTV)/[0-9]+\\.[0-9]+\\.[0-9]+ \\([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;\n```\n\nis vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;HbbTV/0.0.0 (;CUS:;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n\u0026amp;amp;quot;HbbTV/0.0.0 (;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n\u0026amp;amp;quot;HbbTV/0.0.0 (;z;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\nReported by Ben Caller @bcaller",
  "id": "GHSA-cmcx-xhr8-3w9p",
  "modified": "2024-02-08T22:49:51Z",
  "published": "2020-02-20T23:26:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/user_agent_parser/CVE-2020-5243.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in uap-core when processing crafted User-Agent strings"
}

GHSA-CMHX-CQ75-C4MJ

Vulnerability from github – Published: 2021-08-04 21:03 – Updated: 2023-02-21 18:57
VLAI
Summary
Regular Expression Denial of Service in System.Text.RegularExpressions
Details

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "System.Text.RegularExpressions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-0820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-04T21:03:27Z",
    "nvd_published_at": "2019-05-16T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka \u0027.NET Framework and .NET Core Denial of Service Vulnerability\u0027. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.",
  "id": "GHSA-cmhx-cq75-c4mj",
  "modified": "2023-02-21T18:57:08Z",
  "published": "2021-08-04T21:03:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0820"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1259"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0820"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in System.Text.RegularExpressions"
}

GHSA-CPH5-M8F7-6C5X

Vulnerability from github – Published: 2021-09-01 18:23 – Updated: 2022-09-14 21:28
VLAI
Summary
axios Inefficient Regular Expression Complexity vulnerability
Details

axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-01T18:14:02Z",
    "nvd_published_at": "2021-08-31T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.",
  "id": "GHSA-cph5-m8f7-6c5x",
  "modified": "2022-09-14T21:28:32Z",
  "published": "2021-09-01T18:23:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/axios"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "axios Inefficient Regular Expression Complexity vulnerability"
}

GHSA-CQF7-FF9H-7967

Vulnerability from github – Published: 2022-05-17 00:48 – Updated: 2024-09-18 16:17
VLAI
Summary
Django ReDoS in validators.URLValidator
Details

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8a1"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-5145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T19:54:38Z",
    "nvd_published_at": "2015-07-14T17:59:00Z",
    "severity": "HIGH"
  },
  "details": "`validators.URLValidator` in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
  "id": "GHSA-cqf7-ff9h-7967",
  "modified": "2024-09-18T16:17:40Z",
  "published": "2022-05-17T00:48:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.8.3.txt#L63-L68"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-21.yaml"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201510-06"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20150924150801/http://www.securitytracker.com/id/1032820"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170526042302/http://www.securityfocus.com/bid/75691"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django ReDoS in validators.URLValidator"
}

GHSA-CQFH-C4C5-C2HG

Vulnerability from github – Published: 2024-03-28 00:31 – Updated: 2025-09-03 15:16
VLAI
Summary
domain-suffix RegEx Denial of Service
Details

RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.

PoC

async function exploit() {
   const domainsuffix = require(\"domain-suffix\");
   // Crafting a string that will cause excessive backtracking
   const maliciousInput = \"a.\".repeat(10000) + \"b\"; // This will create a long sequence of \"a.\" followed by \"b\"
   const result = await domainsuffix.domainSuffix.parse(maliciousInput);
}
await exploit();
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "domain-suffix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T18:02:23Z",
    "nvd_published_at": "2024-03-27T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n   const domainsuffix = require(\\\"domain-suffix\\\");\n   // Crafting a string that will cause excessive backtracking\n   const maliciousInput = \\\"a.\\\".repeat(10000) + \\\"b\\\"; // This will create a long sequence of \\\"a.\\\" followed by \\\"b\\\"\n   const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\nawait exploit();\n```",
  "id": "GHSA-cqfh-c4c5-c2hg",
  "modified": "2025-09-03T15:16:09Z",
  "published": "2024-03-28T00:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25354"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/c3b11b4058b8e2bc54717408d451fb79"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ikrong/domain-suffix"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "domain-suffix RegEx Denial of Service"
}

GHSA-CR84-XVW4-QX3C

Vulnerability from github – Published: 2022-10-25 22:27 – Updated: 2022-10-31 16:02
VLAI
Summary
Inefficient Regular Expression Complexity in shescape
Details

Impact

This impacts users that use shescape to escape arguments:

  • for the Unix shell Bash, or any not-officially-supported Unix shell;
  • using the escape or escapeAll functions with the interpolation option set to true.

An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:

import * as shescape from "shescape";

/* 1. Prerequisites */
const options = {
  interpolation: true,
  // and
  shell: "/bin/bash",
  // or
  shell: "some-not-officially-supported-shell",
  // or
  shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};

/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking

/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);

Patches

This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.

Workarounds

Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

References

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "shescape"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.10"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T22:27:32Z",
    "nvd_published_at": "2022-10-27T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis impacts users that use shescape to escape arguments:\n\n- for the Unix shell Bash, or any not-officially-supported Unix shell;\n- using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`.\n\nAn attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:\n\n```javascript\nimport * as shescape from \"shescape\";\n\n/* 1. Prerequisites */\nconst options = {\n  interpolation: true,\n  // and\n  shell: \"/bin/bash\",\n  // or\n  shell: \"some-not-officially-supported-shell\",\n  // or\n  shell: undefined, // Only if the system\u0027s default shell is bash or an unsupported shell.\n};\n\n/* 2. Attack */\nlet userInput = \u0027{,\u0027.repeat(150_000); // polynomial backtracking\n\n/* 3. Usage */\nshescape.escape(userInput, options);\n// or\nshescape.escapeAll([userInput], options);\n```\n\n### Patches\n\nThis bug has been patched in [v1.6.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1) which you can upgrade to now. No further changes required.\n\n### Workarounds\n\nAlternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.\n\n### References\n\n- Shescape commit [552e8ea](https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9)\n- Shescape Release [v1.6.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1)\n\n### For more information\n\n- Comment on commit [552e8ea](https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9)\n- Open an issue at [https://github.com/ericcornelissen/shescape/issues](https://github.com/ericcornelissen/shescape/issues?q=is%3Aissue+is%3Aopen) (New issue \u003e Question \u003e Get started)\n",
  "id": "GHSA-cr84-xvw4-qx3c",
  "modified": "2022-10-31T16:02:55Z",
  "published": "2022-10-25T22:27:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-cr84-xvw4-qx3c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericcornelissen/shescape"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in shescape "
}

GHSA-CRJR-9RC5-GHW8

Vulnerability from github – Published: 2022-04-11 21:18 – Updated: 2023-07-06 16:02
VLAI
Summary
Nokogiri Inefficient Regular Expression Complexity
Details

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ななおく).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-11T21:18:06Z",
    "nvd_published_at": "2022-04-11T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nNokogiri `\u003c v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.13.4`.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n[CWE-1333](https://cwe.mitre.org/data/definitions/1333.html) Inefficient Regular Expression Complexity\n\n\n## Credit\n\nThis vulnerability was reported by HackerOne user ooooooo_q (\u306a\u306a\u304a\u304f).\n",
  "id": "GHSA-crjr-9rc5-ghw8",
  "modified": "2023-07-06T16:02:37Z",
  "published": "2022-04-11T21:18:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email\u0026utm_source=footer"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-29"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213532"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri Inefficient Regular Expression Complexity"
}

GHSA-CW56-J3FM-7W57

Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2023-07-11 16:35
VLAI
Summary
Regular expression denial of service in Apache ShenYu
Details

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shenyu:shenyu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shenyu:shenyu-bootstrap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T19:36:33Z",
    "nvd_published_at": "2022-05-17T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.",
  "id": "GHSA-cw56-j3fm-7w57",
  "modified": "2023-07-11T16:35:32Z",
  "published": "2022-05-18T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26650"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/incubator-shenyu"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in Apache ShenYu"
}

GHSA-F45G-68Q3-5W8X

Vulnerability from github – Published: 2026-03-10 21:04 – Updated: 2026-03-10 22:55
VLAI
Summary
Elysia has a string URL format ReDoS
Details

Impact

t.String({ format: 'url' }) is vulnerable to redos

Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly

'http://a'.repeat(n)

Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | --- | --- | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.608 | | 8192 | 2155.842 | | 16384 | 8618.457 | | 32768 | 34604.139 |

Patches

Patched by 1.4.26, please kindly update elysia to >= 1.4.26

Here's how long it takes after the patch | n repeat | elapsed_ms | | --- | --- | | 1024 | 0.194 | | 2048 | 0.274 | | 4096 | 0.455 | | 8192 | 0.831 | | 16384 | 1.632 | | 32768 | 3.052 |

Workarounds

  1. It's recommended to always limit URL format to a reasonable length
t.String({
    format: 'url',
    maxLength: 288
})
  1. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
import { FormatRegistry } from '@sinclair/typebox'

FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
    /^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
        value
    )
)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "elysia"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T21:04:25Z",
    "nvd_published_at": "2026-03-10T21:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n`t.String({ format: \u0027url\u0027 })` is vulnerable to redos\n\nRepeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly\n```js\n\u0027http://a\u0027.repeat(n)\n```\n\nHere\u0027s a table demonstrating how long it takes to process repeated partial url format\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 33.993 |\n| 2048 | 134.357 |\n| 4096 | 537.608 |\n| 8192 | 2155.842 |\n| 16384 | 8618.457 |\n| 32768 | 34604.139 |\n\n### Patches\nPatched by 1.4.26, please kindly update `elysia` to \u003e= 1.4.26 \n\nHere\u0027s how long it takes after the patch\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 0.194 |\n| 2048 | 0.274 |\n| 4096 | 0.455 |\n| 8192 | 0.831 |\n| 16384 | 1.632 |\n| 32768 | 3.052 |\n\n### Workarounds\n1. It\u0027s recommended to always limit URL format to a reasonable length\n```ts\nt.String({\n\tformat: \u0027url\u0027,\n\tmaxLength: 288\n})\n```\n\n2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase\n```js\nimport { FormatRegistry } from \u0027@sinclair/typebox\u0027\n\nFormatRegistry.Delete(\u0027url\u0027)\nFormatRegistry.Set(\u0027url\u0027, (value) =\u003e\n\t/^(?:https?|ftp):\\/\\/(?:[^\\s:@]+(?::[^\\s@]*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3})(?!(?:169\\.254|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2\\d|3[0-1])(?:\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3])(?:\\.(?:1?\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\d\\d|2[0-4]\\d|25[0-4]))|(?:(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)(?:\\.(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)*(?:\\.(?:[a-z\\u{00a1}-\\u{ffff}]{2,})))(?::\\d{2,5})?(?:\\/[^\\s]*)?$/iu.test(\n\t\tvalue\n\t)\n)\n```",
  "id": "GHSA-f45g-68q3-5w8x",
  "modified": "2026-03-10T22:55:50Z",
  "published": "2026-03-10T21:04:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EdamAme-x/elysia-poc-redos"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elysiajs/elysia"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elysia has a string URL format ReDoS"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.