CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
732 vulnerabilities reference this CWE, most recent first.
GHSA-G4JQ-25CX-3CW5
Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-02 21:32LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.
{
"affected": [],
"aliases": [
"CVE-2026-58578"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T20:17:06Z",
"severity": "HIGH"
},
"details": "LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.",
"id": "GHSA-g4jq-25cx-3cw5",
"modified": "2026-07-02T21:32:13Z",
"published": "2026-07-02T21:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58578"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/issues/16494"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/pull/16548"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/commit/349bbe326eb8635d6d9c6a96d12702681ae3a84a"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/lobechat-canary-15-regular-expression-denial-of-service-in-github-skill-import"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G75F-G53V-794X
Vulnerability from github – Published: 2026-06-16 14:07 – Updated: 2026-06-16 14:07Summary
Bleach 6.3.0 exposes a documented email-linkification path through bleach.linkify(..., parse_email=True). The implementation scans attacker-controlled text with EMAIL_RE.finditer() over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email regex. A non-email payload around 30 KB causes multi-second CPU consumption per request/call, creating a direct availability risk for applications that enable email linkification on user-submitted text.
Affected Product
- Package:
bleach - Ecosystem: pip
- Affected versions: verified in
6.3.0; exact first affected version not established - Patched versions: none known at finalization time
- Tested version:
6.3.0 - Audit commit/tag:
v6.3.0/5546d5dbce60d08ccb99d981778d74044d646d4e - PyPI sdist SHA256:
6f3b91b1c0a02bb9a78b5a454c92506aa0fdf197e1d5e114d2e00c6f64306d22
Vulnerability Details
- CWE: CWE-1333: Inefficient Regular Expression Complexity; related availability impact maps to CWE-400
- Component:
bleach/linkifier.py,build_email_re(),LinkifyFilter.handle_email_addresses() - Root cause:
handle_email_addresses()callsself.email_re.finditer(text)on attacker-controlled text.EMAIL_REincludes a repeated dot-atom local-part pattern, so non-email strings such as repeateda.segments with no@force repeated long failing scans. - Security boundary violated: user-submitted text processed by a documented safe linkification helper should not allow an attacker to impose superlinear CPU cost through non-email text.
- Direct impact: per-request CPU exhaustion / denial-of-service risk in applications that enable
parse_email=Trueon attacker-controlled text. - Chain impact, if any: one proof run observed an unrelated
/healthrequest delayed during a concurrent attack request, but this was not reliable across reviewer retests. Treat cross-request service degradation as environment-dependent supporting evidence, not the primary impact. - Severity estimate: Medium / availability-only. The feature is opt-in and deployment body limits/timeouts affect practical severity.
Relevant code path:
- bleach/__init__.py:85-125: public linkify(text, ..., parse_email=False) constructs Linker(..., parse_email=parse_email) and calls linker.linkify(text).
- bleach/linkifier.py:77-88: EMAIL_RE is compiled from the dot-atom email pattern.
- bleach/linkifier.py:292-301: handle_email_addresses() applies self.email_re.finditer(text) to each character token.
- bleach/linkifier.py:620-623: character tokens are routed into email handling only when parse_email is true.
- docs/goals.rst:30-40: Bleach documents user comments, profile bios, and descriptions as target untrusted text use cases.
- docs/linkify.rst:300-305: parse_email=True is the documented option for creating mailto: links.
Attack Preconditions
- The consuming application enables the documented
parse_email=Trueoption, for examplebleach.linkify(user_text, parse_email=True)orLinker(parse_email=True).linkify(user_text). - The attacker can submit text that reaches that linkification path. Authentication depends on the host application; a public comment form would make this unauthenticated, while account-only text fields require user privileges.
- The application allows roughly 20-30 KB of text to reach Bleach and lacks a strict timeout or input cap before linkification.
- No custom bounded
email_reis supplied.
Reproduction
Minimal API trigger:
import bleach
payload = ("a." * 15000) + "a"
bleach.linkify(payload, parse_email=True)
The saved HTTP proof uses a local harness with POST /preview calling bleach.linkify(request_body, parse_email=True) and a control endpoint using parse_email=False on the same payload. The exploit sends baseline/control/attack requests over HTTP to 127.0.0.1.
Proof Evidence
The proof ran against Bleach 6.3.0 installed from the audited local checkout in an isolated temporary venv. It used Python 3.12.3 on Linux.
Measured HTTP proof results:
- Payload: ("a." * 15000) + "a" (30001 bytes)
- Normal baseline /preview mean: 0.001425 seconds
- Same 30 KB payload with parse_email=False: 0.048349 seconds
- Attack payload with parse_email=True: 8.719818 seconds
- Slowdown versus the larger baseline/control mean: 180.35x
- Requests sent by proof: 20
Evidence files: poc.py poc_results.json exploit_proof.py exploit_results.json
Scope and Limitations
- This report does not claim XSS, authentication bypass, data disclosure, remote code execution, persistent crash, or persistent service outage.
parse_email=Trueis not the default. The affected path is a documented opt-in feature.- The exact first affected version is not established.
- Practical impact depends on host application input limits, worker model, request timeout policy, and whether untrusted users can submit text to an email-linkification path.
- A reviewer reproduced the direct CPU cost but did not reproduce the proof harness’s
/healthdelay. The direct impact claim is therefore limited to per-request CPU exhaustion. - Bleach is marked deprecated in
README.rst, andSECURITY.mdhas stale supported-version text, but the package still has a 2025 PyPI release and published Mozilla security reporting routes.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bleach"
},
"versions": [
"6.3.0"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T14:07:30Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nBleach 6.3.0 exposes a documented email-linkification path through `bleach.linkify(..., parse_email=True)`. The implementation scans attacker-controlled text with `EMAIL_RE.finditer()` over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email regex. A non-email payload around 30 KB causes multi-second CPU consumption per request/call, creating a direct availability risk for applications that enable email linkification on user-submitted text.\n\n## Affected Product\n- Package: `bleach`\n- Ecosystem: pip\n- Affected versions: verified in `6.3.0`; exact first affected version not established\n- Patched versions: none known at finalization time\n- Tested version: `6.3.0`\n- Audit commit/tag: `v6.3.0` / `5546d5dbce60d08ccb99d981778d74044d646d4e`\n- PyPI sdist SHA256: `6f3b91b1c0a02bb9a78b5a454c92506aa0fdf197e1d5e114d2e00c6f64306d22`\n\n## Vulnerability Details\n- CWE: CWE-1333: Inefficient Regular Expression Complexity; related availability impact maps to CWE-400\n- Component: `bleach/linkifier.py`, `build_email_re()`, `LinkifyFilter.handle_email_addresses()`\n- Root cause: `handle_email_addresses()` calls `self.email_re.finditer(text)` on attacker-controlled text. `EMAIL_RE` includes a repeated dot-atom local-part pattern, so non-email strings such as repeated `a.` segments with no `@` force repeated long failing scans.\n- Security boundary violated: user-submitted text processed by a documented safe linkification helper should not allow an attacker to impose superlinear CPU cost through non-email text.\n- Direct impact: per-request CPU exhaustion / denial-of-service risk in applications that enable `parse_email=True` on attacker-controlled text.\n- Chain impact, if any: one proof run observed an unrelated `/health` request delayed during a concurrent attack request, but this was not reliable across reviewer retests. Treat cross-request service degradation as environment-dependent supporting evidence, not the primary impact.\n- Severity estimate: Medium / availability-only. The feature is opt-in and deployment body limits/timeouts affect practical severity.\n\nRelevant code path:\n- `bleach/__init__.py:85-125`: public `linkify(text, ..., parse_email=False)` constructs `Linker(..., parse_email=parse_email)` and calls `linker.linkify(text)`.\n- `bleach/linkifier.py:77-88`: `EMAIL_RE` is compiled from the dot-atom email pattern.\n- `bleach/linkifier.py:292-301`: `handle_email_addresses()` applies `self.email_re.finditer(text)` to each character token.\n- `bleach/linkifier.py:620-623`: character tokens are routed into email handling only when `parse_email` is true.\n- `docs/goals.rst:30-40`: Bleach documents user comments, profile bios, and descriptions as target untrusted text use cases.\n- `docs/linkify.rst:300-305`: `parse_email=True` is the documented option for creating `mailto:` links.\n\n## Attack Preconditions\n- The consuming application enables the documented `parse_email=True` option, for example `bleach.linkify(user_text, parse_email=True)` or `Linker(parse_email=True).linkify(user_text)`.\n- The attacker can submit text that reaches that linkification path. Authentication depends on the host application; a public comment form would make this unauthenticated, while account-only text fields require user privileges.\n- The application allows roughly 20-30 KB of text to reach Bleach and lacks a strict timeout or input cap before linkification.\n- No custom bounded `email_re` is supplied.\n\n## Reproduction\nMinimal API trigger:\n\n```python\nimport bleach\npayload = (\"a.\" * 15000) + \"a\"\nbleach.linkify(payload, parse_email=True)\n```\n\nThe saved HTTP proof uses a local harness with `POST /preview` calling `bleach.linkify(request_body, parse_email=True)` and a control endpoint using `parse_email=False` on the same payload. The exploit sends baseline/control/attack requests over HTTP to `127.0.0.1`.\n\n## Proof Evidence\nThe proof ran against Bleach `6.3.0` installed from the audited local checkout in an isolated temporary venv. It used Python `3.12.3` on Linux.\n\nMeasured HTTP proof results:\n- Payload: `(\"a.\" * 15000) + \"a\"` (`30001` bytes)\n- Normal baseline `/preview` mean: `0.001425` seconds\n- Same 30 KB payload with `parse_email=False`: `0.048349` seconds\n- Attack payload with `parse_email=True`: `8.719818` seconds\n- Slowdown versus the larger baseline/control mean: `180.35x`\n- Requests sent by proof: `20`\n\nEvidence files:\n[poc.py](https://github.com/user-attachments/files/27129729/poc.py)\n[poc_results.json](https://github.com/user-attachments/files/27129737/poc_results.json)\n[exploit_proof.py](https://github.com/user-attachments/files/27129751/exploit_proof.py)\n[exploit_results.json](https://github.com/user-attachments/files/27129752/exploit_results.json)\n\n## Scope and Limitations\n- This report does not claim XSS, authentication bypass, data disclosure, remote code execution, persistent crash, or persistent service outage.\n- `parse_email=True` is not the default. The affected path is a documented opt-in feature.\n- The exact first affected version is not established.\n- Practical impact depends on host application input limits, worker model, request timeout policy, and whether untrusted users can submit text to an email-linkification path.\n- A reviewer reproduced the direct CPU cost but did not reproduce the proof harness\u2019s `/health` delay. The direct impact claim is therefore limited to per-request CPU exhaustion.\n- Bleach is marked deprecated in `README.rst`, and `SECURITY.md` has stale supported-version text, but the package still has a 2025 PyPI release and published Mozilla security reporting routes.",
"id": "GHSA-g75f-g53v-794x",
"modified": "2026-06-16T14:07:30Z",
"published": "2026-06-16T14:07:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/bleach"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning"
}
GHSA-GPVJ-GP8C-C7P2
Vulnerability from github – Published: 2023-02-12 15:30 – Updated: 2026-02-03 17:53A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The name of the patch is 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "simple-markdown"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25103"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T01:02:08Z",
"nvd_published_at": "2023-02-12T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The name of the patch is 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639.",
"id": "GHSA-gpvj-gp8c-c7p2",
"modified": "2026-02-03T17:53:00Z",
"published": "2023-02-12T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25103"
},
{
"type": "WEB",
"url": "https://github.com/Khan/simple-markdown/issues/71"
},
{
"type": "WEB",
"url": "https://github.com/ariabuckles/simple-markdown/commit/89797fef9abb4cab2fb76a335968266a92588816"
},
{
"type": "PACKAGE",
"url": "https://github.com/ariabuckles/simple-markdown"
},
{
"type": "WEB",
"url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.5.2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEMARKDOWN-460540"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.220639"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.220639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in simple-markdown"
}
GHSA-GQV6-F424-3G7H
Vulnerability from github – Published: 2024-02-16 09:30 – Updated: 2024-08-23 00:31An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.
{
"affected": [],
"aliases": [
"CVE-2023-51931"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T09:15:08Z",
"severity": "HIGH"
},
"details": "An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.",
"id": "GHSA-gqv6-f424-3g7h",
"modified": "2024-08-23T00:31:37Z",
"published": "2024-02-16T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51931"
},
{
"type": "WEB",
"url": "https://github.com/alanclarke/urlite/issues/61"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/c792d8337b63f095cbda907e834cb4ba"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWRP-82JW-P87Q
Vulnerability from github – Published: 2024-04-30 15:30 – Updated: 2024-07-03 18:37An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.
{
"affected": [],
"aliases": [
"CVE-2024-28716"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T15:15:52Z",
"severity": "HIGH"
},
"details": "An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.",
"id": "GHSA-gwrp-82jw-p87q",
"modified": "2024-07-03T18:37:40Z",
"published": "2024-04-30T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28716"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/solum/+bug/2047505"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/11x-6CjWCyap8_W1JpVzun56HQkPNLtWT/view?usp=drive_link"
},
{
"type": "WEB",
"url": "https://gist.github.com/Fewword/f098d8d6375ac25e27b18c0e57be532f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H27X-RFFW-24P4
Vulnerability from github – Published: 2026-04-08 00:05 – Updated: 2026-05-13 16:20Impact
Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:
- Templates using the
*(explode) modifier with any expansion operator (e.g.,{foo*},{+var*},{#var*},{/var*},{.var*},{;var*},{?var*},{&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. - Templates using multiple variables with the
+or#operators (e.g.,{+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables.
When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0.
Users of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected.
Affected Versions
This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0.
The vulnerability is more exploitable on MRI Ruby < 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns.
This has been confirmed on the following runtimes:
| Runtime | Status |
|---|---|
| MRI Ruby 2.6 | Vulnerable |
| MRI Ruby 2.7 | Vulnerable |
| MRI Ruby 3.0 | Vulnerable |
| MRI Ruby 3.1 | Vulnerable |
| MRI Ruby 3.2 | Partially vulnerable |
| MRI Ruby 3.3 | Partially vulnerable |
| MRI Ruby 3.4 | Partially vulnerable |
| MRI Ruby 4.0 | Partially vulnerable |
| JRuby 10.0 | Vulnerable |
| TruffleRuby 21.2 | Vulnerable |
Workarounds
-
Upgrade to MRI Ruby 3.2 or later, if your application does not use JRuby or TruffleRuby. The Onigmo memoization introduced in MRI Ruby 3.2 prevents catastrophic backtracking from nested unbounded quantifiers (pattern 1 above — templates using the
*modifier). It does not reliably mitigate the O(n^k) multi-variable case (pattern 2), so upgrading Ruby alone may not be sufficient if your templates use{+v1,v2,...}or{#v1,v2,...}syntax. -
Avoid using vulnerable template patterns when matching user-supplied input on unpatched versions of the library:
- Templates using the
*(explode) modifier:{foo*},{+var*},{#var*},{.var*},{/var*},{;var*},{?var*},{&var*} -
Templates using multiple variables with the
+or#operators:{+v1,v2},{#v1,v2,v3}, etc. -
Apply a short timeout around any call to
Template#matchorTemplate#extractthat processes user-supplied data.
References
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
- https://www.regular-expressions.info/catastrophic.html
Credits
Discovered in collaboration with @jamfish.
For more information
If you have any questions or comments about this advisory: * Open an issue
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "addressable"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35611"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:05:27Z",
"nvd_published_at": "2026-04-07T17:16:35Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWithin the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:\n\n1. Templates using the `*` (explode) modifier with any expansion operator (e.g., `{foo*}`, `{+var*}`, `{#var*}`, `{/var*}`, `{.var*}`, `{;var*}`, `{?var*}`, `{\u0026var*}`) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI.\n2. Templates using multiple variables with the `+` or `#` operators (e.g., `{+v1,v2,v3}`) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables.\n\nWhen matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0.\n\nUsers of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected.\n\n### Affected Versions\n\nThis vulnerability affects Addressable \u003e= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0.\n\nThe vulnerability is more exploitable on MRI Ruby \u003c 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns.\n\nThis has been confirmed on the following runtimes:\n\n| Runtime | Status |\n|---------|--------|\n| MRI Ruby 2.6 | Vulnerable |\n| MRI Ruby 2.7 | Vulnerable |\n| MRI Ruby 3.0 | Vulnerable |\n| MRI Ruby 3.1 | Vulnerable |\n| MRI Ruby 3.2 | Partially vulnerable |\n| MRI Ruby 3.3 | Partially vulnerable |\n| MRI Ruby 3.4 | Partially vulnerable |\n| MRI Ruby 4.0 | Partially vulnerable |\n| JRuby 10.0 | Vulnerable |\n| TruffleRuby 21.2 | Vulnerable |\n\n### Workarounds\n\n- **Upgrade to MRI Ruby 3.2 or later**, if your application does not use JRuby or TruffleRuby. The Onigmo memoization introduced in MRI Ruby 3.2 prevents catastrophic backtracking from nested unbounded quantifiers (pattern 1 above \u2014 templates using the `*` modifier). It does not reliably mitigate the O(n^k) multi-variable case (pattern 2), so upgrading Ruby alone may not be sufficient if your templates use `{+v1,v2,...}` or `{#v1,v2,...}` syntax.\n\n- **Avoid using vulnerable template patterns** when matching user-supplied input on unpatched versions of the library:\n - Templates using the `*` (explode) modifier: `{foo*}`, `{+var*}`, `{#var*}`, `{.var*}`, `{/var*}`, `{;var*}`, `{?var*}`, `{\u0026var*}`\n - Templates using multiple variables with the `+` or `#` operators: `{+v1,v2}`, `{#v1,v2,v3}`, etc.\n\n- **Apply a short timeout** around any call to `Template#match` or `Template#extract` that processes user-supplied data.\n\n### References\n\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://www.regular-expressions.info/catastrophic.html\n\n### Credits\n\nDiscovered in collaboration with @jamfish.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/sporkmonger/addressable/issues)",
"id": "GHSA-h27x-rffw-24p4",
"modified": "2026-05-13T16:20:52Z",
"published": "2026-04-08T00:05:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-h27x-rffw-24p4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35611"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/addressable/CVE-2026-35611.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sporkmonger/addressable"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Addressable has a Regular Expression Denial of Service in Addressable templates"
}
GHSA-H2GH-PW44-5QF5
Vulnerability from github – Published: 2023-08-25 03:30 – Updated: 2024-04-04 07:12Regular expression Denial-of-Service (ReDoS) exists in multiple add-ons for Mailform Pro CGI 4.3.1.3 and earlier, which allows a remote unauthenticated attacker to cause a denial-of-service condition. Affected add-ons are as follows: call/call.js, prefcodeadv/search.cgi, estimate/estimate.js, search/search.js, suggest/suggest.js, and coupon/coupon.js.
{
"affected": [],
"aliases": [
"CVE-2023-40599"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-25T03:15:08Z",
"severity": "HIGH"
},
"details": "Regular expression Denial-of-Service (ReDoS) exists in multiple add-ons for Mailform Pro CGI 4.3.1.3 and earlier, which allows a remote unauthenticated attacker to cause a denial-of-service condition. Affected add-ons are as follows: call/call.js, prefcodeadv/search.cgi, estimate/estimate.js, search/search.js, suggest/suggest.js, and coupon/coupon.js.",
"id": "GHSA-h2gh-pw44-5qf5",
"modified": "2024-04-04T07:12:02Z",
"published": "2023-08-25T03:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40599"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN86484824"
},
{
"type": "WEB",
"url": "https://www.synck.com/blogs/news/newsroom/detail_1691668841.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H452-7996-H45H
Vulnerability from github – Published: 2023-01-18 06:31 – Updated: 2025-02-13 18:36Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.
Proof of concept:
ts\nconst { CookieJar } = require("cookiejar");
const jar = new CookieJar();
const start = performance.now();
const attack = "a" + "t".repeat(50_000);
jar.setCookie(attack);
console.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);
CookieJar.setCookie(): 2963.214399999939ms
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cookiejar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.webjars.npm:cookiejar"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25901"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-23T16:59:52Z",
"nvd_published_at": "2023-01-18T05:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```",
"id": "GHSA-h452-7996-h45h",
"modified": "2025-02-13T18:36:34Z",
"published": "2023-01-18T06:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25901"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/pull/39"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5"
},
{
"type": "PACKAGE",
"url": "https://github.com/bmeck/node-cookiejar"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73"
},
{
"type": "WEB",
"url": "https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js%23L73"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "cookiejar Regular Expression Denial of Service via Cookie.parse function"
}
GHSA-H453-7RRX-Q6J5
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.
{
"affected": [],
"aliases": [
"CVE-2023-6688"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T14:35:33Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server.",
"id": "GHSA-h453-7rrx-q6j5",
"modified": "2024-05-14T15:32:51Z",
"published": "2024-05-14T15:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6688"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2270362"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/434854"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H47H-MWP9-C6Q6
Vulnerability from github – Published: 2024-10-15 23:35 – Updated: 2025-01-07 21:47There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.
Impact
Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling the block_format helper or upgrade to Ruby 3.2
Credits
Thanks to yuki_osaki for the report!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionmailer"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "6.1.7.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionmailer"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionmailer"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionmailer"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0"
},
{
"fixed": "7.2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47889"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-15T23:35:38Z",
"nvd_published_at": "2024-10-16T21:15:13Z",
"severity": "MODERATE"
},
"details": "There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.\n\nImpact\n------\n\nCarefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers can avoid calling the `block_format` helper or upgrade to Ruby 3.2\n\nCredits\n-------\n\nThanks to yuki_osaki for the report!",
"id": "GHSA-h47h-mwp9-c6q6",
"modified": "2025-01-07T21:47:36Z",
"published": "2024-10-15T23:35:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Possible ReDoS vulnerability in block_format in Action Mailer"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.