CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
732 vulnerabilities reference this CWE, most recent first.
GHSA-JC97-H3H9-7XH6
Vulnerability from github – Published: 2023-04-03 17:18 – Updated: 2023-04-03 17:18Impact
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s,s/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.
Patches
It is recommended that users upgrade to Deno 1.31.0.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "deno"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.31.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26103"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-03T17:18:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nVersions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. \n\n### Patches\nIt is recommended that users upgrade to Deno 1.31.0.\n\n",
"id": "GHSA-jc97-h3h9-7xh6",
"modified": "2023-04-03T17:18:51Z",
"published": "2023-04-03T17:18:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/denoland/deno/security/advisories/GHSA-jc97-h3h9-7xh6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26103"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/pull/17722"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06"
},
{
"type": "PACKAGE",
"url": "https://github.com/denoland/deno"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js#L395-L409"
},
{
"type": "WEB",
"url": "https://github.com/denoland/deno/releases/tag/v1.31.0"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in Deno.upgradeWebSocket API"
}
GHSA-JCPV-G9RR-QXRC
Vulnerability from github – Published: 2018-07-31 22:52 – Updated: 2021-09-14 19:39Versions of hawk prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's.
Recommendation
Update to hawk version 4.1.1 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hawk"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "hawk"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-2515"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:43:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `hawk` prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI\u0027s.\n\n\n\n## Recommendation\n\nUpdate to hawk version 4.1.1 or later.",
"id": "GHSA-jcpv-g9rr-qxrc",
"modified": "2021-09-14T19:39:20Z",
"published": "2018-07-31T22:52:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2515"
},
{
"type": "WEB",
"url": "https://github.com/hueniverse/hawk/issues/168"
},
{
"type": "WEB",
"url": "https://github.com/hueniverse/hawk/commit/0833f99ba64558525995a7e21d4093da1f3e15fa"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1309721"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jcpv-g9rr-qxrc"
},
{
"type": "PACKAGE",
"url": "https://github.com/hueniverse/hawk"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/77"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/20/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/02/20/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in hawk"
}
GHSA-JFM2-HQ55-PXGQ
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime complexity relative to the input size, leading to potential denial of service. An attacker can exploit this by submitting a specially crafted regular expression, causing the server to become unresponsive for an arbitrary length of time.
{
"affected": [],
"aliases": [
"CVE-2024-8789"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:44Z",
"severity": "HIGH"
},
"details": "Lunary-ai/lunary version git 105a3f6 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. The application allows users to upload their own regular expressions, which are then executed on the server side. Certain regular expressions can have exponential runtime complexity relative to the input size, leading to potential denial of service. An attacker can exploit this by submitting a specially crafted regular expression, causing the server to become unresponsive for an arbitrary length of time.",
"id": "GHSA-jfm2-hq55-pxgq",
"modified": "2025-03-20T12:32:49Z",
"published": "2025-03-20T12:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8789"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e32f5f0d-bd46-4268-b6b1-619e07c6fda3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JG4P-7FHP-P32P
Vulnerability from github – Published: 2026-04-04 04:23 – Updated: 2026-04-24 13:43All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.
Impact
Denial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.
Patches
Fixed by tightening all three regular expressions to eliminate backtracking.
Workarounds
There are no known workarounds. Upgrade to the patched version.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@hapi/content"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35213"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T04:23:03Z",
"nvd_published_at": "2026-04-06T21:16:20Z",
"severity": "HIGH"
},
"details": "All versions of `@hapi/content` through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse `Content-Type` and `Content-Disposition` headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.\n\n### Impact\n\nDenial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.\n\n### Patches\n\nFixed by tightening all three regular expressions to eliminate backtracking.\n\n### Workarounds\n\nThere are no known workarounds. Upgrade to the patched version.",
"id": "GHSA-jg4p-7fhp-p32p",
"modified": "2026-04-24T13:43:15Z",
"published": "2026-04-04T04:23:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35213"
},
{
"type": "WEB",
"url": "https://github.com/hapijs/content/pull/38"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapijs/content"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing"
}
GHSA-JH3W-4VVF-MJGR
Vulnerability from github – Published: 2023-07-03 15:30 – Updated: 2025-11-04 19:38In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "3.2a1"
},
{
"fixed": "3.2.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.0a1"
},
{
"fixed": "4.1.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.2a1"
},
{
"fixed": "4.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-36053"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-05T22:45:55Z",
"nvd_published_at": "2023-07-03T13:15:09Z",
"severity": "HIGH"
},
"details": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.",
"id": "GHSA-jh3w-4vvf-mjgr",
"modified": "2025-11-04T19:38:50Z",
"published": "2023-07-03T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36053"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5465"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#%21forum/django-announce"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.2/releases/security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django has regular expression denial of service vulnerability in EmailValidator/URLValidator"
}
GHSA-JJ5C-HHRG-VV5H
Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-09 17:01An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "xhtml2pdf"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.2.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25885"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-09T17:01:36Z",
"nvd_published_at": "2024-10-08T18:15:05Z",
"severity": "MODERATE"
},
"details": "An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.",
"id": "GHSA-jj5c-hhrg-vv5h",
"modified": "2024-10-09T17:01:36Z",
"published": "2024-10-08T18:33:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25885"
},
{
"type": "WEB",
"url": "https://gist.github.com/salvatore-abello/c88dd0027496774023ef36c7b576d206"
},
{
"type": "PACKAGE",
"url": "https://github.com/xhtml2pdf/xhtml2pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "xhtml2pdf Denial of Service via crafted string"
}
GHSA-JJG7-2V4V-X38H
Vulnerability from github – Published: 2024-04-11 21:32 – Updated: 2025-11-05 20:10Impact
A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.
Patches
The function has been refined to reject such strings without the associated resource consumption in version 3.7.
Workarounds
Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
References
- https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "idna"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-3651"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-11T21:32:40Z",
"nvd_published_at": "2024-07-07T18:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb",
"id": "GHSA-jjg7-2v4v-x38h",
"modified": "2025-11-05T20:10:47Z",
"published": "2024-04-11T21:32:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"
},
{
"type": "WEB",
"url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d"
},
{
"type": "PACKAGE",
"url": "https://github.com/kjd/idna"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"
}
GHSA-JJHX-JHVP-74WQ
Vulnerability from github – Published: 2024-02-27 21:41 – Updated: 2024-03-01 23:30Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142.
Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1
Impact
Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 7-1-accept-redox.patch - Patch for 7.1 series
Credits
Thanks svalkanov for the report and patch!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-26142"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-27T21:41:09Z",
"nvd_published_at": "2024-02-27T16:15:46Z",
"severity": "LOW"
},
"details": "# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n\nThere is a possible ReDoS vulnerability in the Accept header parsing routines\nof Action Dispatch. This vulnerability has been assigned the CVE identifier\nCVE-2024-26142.\n\nVersions Affected: \u003e= 7.1.0, \u003c 7.1.3.1\nNot affected: \u003c 7.1.0\nFixed Versions: 7.1.3.1\n\nImpact\n------\nCarefully crafted Accept headers can cause Accept header parsing in Action\nDispatch to take an unexpected amount of time, possibly resulting in a DoS\nvulnerability. All users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby\n3.2 or newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 7-1-accept-redox.patch - Patch for 7.1 series\n\nCredits\n-------\nThanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!",
"id": "GHSA-jjhx-jhvp-74wq",
"modified": "2024-03-01T23:30:38Z",
"published": "2024-02-27T21:41:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26142"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch"
}
GHSA-JJPH-296X-MRCR
Vulnerability from github – Published: 2025-07-07 12:30 – Updated: 2025-07-08 16:38A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.51.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3264"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-08T16:38:04Z",
"nvd_published_at": "2025-07-07T10:15:27Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.",
"id": "GHSA-jjph-296x-mrcr",
"modified": "2025-07-08T16:38:04Z",
"published": "2025-07-07T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3264"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Transformers vulnerable to ReDoS attack through its get_imports() function"
}
GHSA-JM96-7WVJ-J3R9
Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30A flaw was found in guardrails-detectors, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.
{
"affected": [],
"aliases": [
"CVE-2026-15154"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T20:16:48Z",
"severity": "MODERATE"
},
"details": "A flaw was found in `guardrails-detectors`, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.",
"id": "GHSA-jm96-7wvj-j3r9",
"modified": "2026-07-08T21:30:27Z",
"published": "2026-07-08T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15154"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-15154"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.