CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
731 vulnerabilities reference this CWE, most recent first.
GHSA-JQGV-3CH9-C9QV
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression's susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.
{
"affected": [],
"aliases": [
"CVE-2024-8763"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:43Z",
"severity": "HIGH"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression\u0027s susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.",
"id": "GHSA-jqgv-3ch9-c9qv",
"modified": "2025-03-20T12:32:48Z",
"published": "2025-03-20T12:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8763"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/4fb63a6e-0056-4550-a34d-e161de1c13b8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR9P-R423-9M2R
Vulnerability from github – Published: 2021-06-02 21:44 – Updated: 2024-09-30 20:15markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "markdown2"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.1.18"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26813"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T21:02:47Z",
"nvd_published_at": "2021-03-03T16:15:00Z",
"severity": "HIGH"
},
"details": "markdown2 \u003e=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.",
"id": "GHSA-jr9p-r423-9m2r",
"modified": "2024-09-30T20:15:06Z",
"published": "2021-06-02T21:44:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26813"
},
{
"type": "WEB",
"url": "https://github.com/trentm/python-markdown2/pull/387"
},
{
"type": "WEB",
"url": "https://github.com/trentm/python-markdown2/commit/7b651260739647de5198323e0445b1618750c374"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jr9p-r423-9m2r"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/markdown2/PYSEC-2021-20.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/trentm/python-markdown2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRP5RN35JZTSJ3JT4722F447ZDK7LZS5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J752422YELXLMLZJPVJVKD2KKHHQRVEH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JTIX5UXRDJZJ57DO4V33ZNJTNKWGBQLY"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "markdown2 Regular Expression Denial of Service "
}
GHSA-JV4C-7JQQ-M34X
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2024-04-22 23:14It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ckeditor4-dev"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26271"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:14:44Z",
"nvd_published_at": "2021-01-26T21:15:00Z",
"severity": "MODERATE"
},
"details": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).",
"id": "GHSA-jv4c-7jqq-m34x",
"modified": "2024-04-22T23:14:44Z",
"published": "2022-05-24T17:40:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26271"
},
{
"type": "PACKAGE",
"url": "https://github.com/ckeditor/ckeditor4"
},
{
"type": "WEB",
"url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210128132707/https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CKEditor 4 ReDoS Vulnerability"
}
GHSA-JVXX-V45P-V5VF
Vulnerability from github – Published: 2022-06-23 06:45 – Updated: 2022-06-29 20:37Impact
Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.
Patches
It is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.
References
Full report: https://github.com/DIYgod/RSSHub/issues/10045
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/DIYgod/RSSHub/issues * Email us at i@diygod.me
Credits
@Rongronggg9
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "rsshub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31110"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-23T06:45:03Z",
"nvd_published_at": "2022-06-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nPassing some special values to the `filter` and `filterout` parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.\n\n### Patches\n\nIt is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.\n\n### References\n\nFull report: https://github.com/DIYgod/RSSHub/issues/10045\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in \u003chttps://github.com/DIYgod/RSSHub/issues\u003e\n* Email us at [i@diygod.me](mailto:i@diygod.me)\n\n### Credits\n\n@Rongronggg9 \n",
"id": "GHSA-jvxx-v45p-v5vf",
"modified": "2022-06-29T20:37:27Z",
"published": "2022-06-23T06:45:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-jvxx-v45p-v5vf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31110"
},
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/issues/10045"
},
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/commit/4671720f4c5e1aaaad8fcc1dce684b6546baf2ff"
},
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/commit/5c4177441417b44a6e45c3c63e9eac2504abeb5b"
},
{
"type": "PACKAGE",
"url": "https://github.com/DIYgod/RSSHub"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service (DoS) vulnerability in RSSHub"
}
GHSA-JXHC-Q857-3J6G
Vulnerability from github – Published: 2021-07-12 16:58 – Updated: 2026-04-06 23:12Impact
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.
Patches
The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.
Workarounds
The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
References
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
- https://www.regular-expressions.info/catastrophic.html
For more information
If you have any questions or comments about this advisory: * Open an issue
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "addressable"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32740"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-06T15:25:32Z",
"nvd_published_at": "2021-07-06T15:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n\n### Patches\n\nThe vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.\n\n### Workarounds\n\nThe vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.\n\n### References\n\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://www.regular-expressions.info/catastrophic.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/sporkmonger/addressable/issues)",
"id": "GHSA-jxhc-q857-3j6g",
"modified": "2026-04-06T23:12:46Z",
"published": "2021-07-12T16:58:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/89c76130ce255c601f642a018cb5fb5a80e679a7"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/92685096b1f7235ed8986c03ce30a24972eed848#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/addressable/CVE-2021-32740.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sporkmonger/addressable"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in Addressable templates"
}
GHSA-M2H2-264F-F486
Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2025-11-03 22:29AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.
Note: 1. This package has been deprecated and is no longer maintained. 2. The vulnerable versions are 1.7.0 and higher.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "angular"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25844"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-04T20:12:02Z",
"nvd_published_at": "2022-05-01T16:15:00Z",
"severity": "MODERATE"
},
"details": "AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: \u0027 \u0027.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.\n\n**Note:**\n1. This package has been deprecated and is no longer maintained.\n2. The vulnerable versions are 1.7.0 and higher.",
"id": "GHSA-m2h2-264f-f486",
"modified": "2025-11-03T22:29:05Z",
"published": "2022-05-03T00:00:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25844"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular.js"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220629-0009"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
},
{
"type": "WEB",
"url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "angular vulnerable to regular expression denial of service (ReDoS)"
}
GHSA-M3F4-957X-M785
Vulnerability from github – Published: 2024-02-12 21:30 – Updated: 2024-03-01 14:41A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type Handler. The manipulation leads to inefficient regular expression complexity. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as f689404d830cbc1edd6a1018d3334ff5f44dc6a6. It is recommended to upgrade the affected component. VDB-253406 is the identifier assigned to this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@lambda-middleware/json-deserializer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4437"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-12T22:39:30Z",
"nvd_published_at": "2024-02-12T20:15:07Z",
"severity": "LOW"
},
"details": "A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type Handler. The manipulation leads to inefficient regular expression complexity. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as f689404d830cbc1edd6a1018d3334ff5f44dc6a6. It is recommended to upgrade the affected component. VDB-253406 is the identifier assigned to this vulnerability.",
"id": "GHSA-m3f4-957x-m785",
"modified": "2024-03-01T14:41:48Z",
"published": "2024-02-12T21:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4437"
},
{
"type": "WEB",
"url": "https://github.com/dbartholomae/lambda-middleware/pull/57"
},
{
"type": "WEB",
"url": "https://github.com/dbartholomae/lambda-middleware/commit/f689404d830cbc1edd6a1018d3334ff5f44dc6a6"
},
{
"type": "PACKAGE",
"url": "https://github.com/dbartholomae/lambda-middleware"
},
{
"type": "WEB",
"url": "https://github.com/dbartholomae/lambda-middleware/releases/tag/%40lambda-middleware%2Fframeguard_v1.1.0"
},
{
"type": "WEB",
"url": "https://github.com/dbartholomae/lambda-middleware/releases/tag/@lambda-middleware/frameguard_v1.1.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.253406"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.253406"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "lambda-middleware Inefficient Regular Expression Complexity vulnerability"
}
GHSA-M489-XR35-FJXR
Vulnerability from github – Published: 2021-09-22 20:35 – Updated: 2021-09-22 20:34Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Proof of concept
var ms = require('millisecond');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
ms(genstr(process.argv[2], "5") + " minutea");
Recommendation
Update to version 0.1.2 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "millisecond"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-22T20:34:42Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Versions of `millisecond` prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n\n## Proof of concept\n```\nvar ms = require(\u0027millisecond\u0027);\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i\u003c=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n```\n\n\n## Recommendation\n\nUpdate to version 0.1.2 or later.",
"id": "GHSA-m489-xr35-fjxr",
"modified": "2021-09-22T20:34:42Z",
"published": "2021-09-22T20:35:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/unshiftio/millisecond/pull/4"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/59"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Regular Expression Denial of Service in millisecond"
}
GHSA-M5PQ-GVJ9-9VR8
Vulnerability from github – Published: 2022-03-08 20:00 – Updated: 2022-08-11 20:38This is a cross-post of the official security advisory. The official advisory contains a signed version with our PGP key, as well.
The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.
Overview
The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.
Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.
Affected versions
All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5.
Mitigations
We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the regex crate.
Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.
Acknowledgements
We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.
We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "regex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24713"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-08T20:00:36Z",
"nvd_published_at": "2022-03-08T19:15:00Z",
"severity": "HIGH"
},
"details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it\u0027s considered part of the crate\u0027s API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it\u0027s possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.",
"id": "GHSA-m5pq-gvj9-9vr8",
"modified": "2022-08-11T20:38:52Z",
"published": "2022-03-08T20:00:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713"
},
{
"type": "WEB",
"url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e"
},
{
"type": "WEB",
"url": "https://github.com/rust-lang/regex"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-08"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-14"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5113"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5118"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rust\u0027s regex crate vulnerable to regular expression denial of service"
}
GHSA-M95Q-7QP3-XV42
Vulnerability from github – Published: 2023-09-28 21:30 – Updated: 2024-09-06 19:11Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.22.2"
},
"package": {
"ecosystem": "npm",
"name": "zod"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.22.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4316"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-02T16:26:26Z",
"nvd_published_at": "2023-09-28T21:15:10Z",
"severity": "MODERATE"
},
"details": "Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.",
"id": "GHSA-m95q-7qp3-xv42",
"modified": "2024-09-06T19:11:37Z",
"published": "2023-09-28T21:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4316"
},
{
"type": "WEB",
"url": "https://github.com/colinhacks/zod/issues/2609"
},
{
"type": "WEB",
"url": "https://github.com/colinhacks/zod/pull/2824"
},
{
"type": "WEB",
"url": "https://github.com/colinhacks/zod/commit/2ba00fe2377f4d53947a84b8cdb314a63bbd6dd4"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/swift"
},
{
"type": "PACKAGE",
"url": "https://github.com/colinhacks/zod"
},
{
"type": "WEB",
"url": "https://github.com/colinhacks/zod/releases/tag/v3.22.3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/zod"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Zod denial of service vulnerability"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.