CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
727 vulnerabilities reference this CWE, most recent first.
GHSA-QHV9-728R-6JQG
Vulnerability from github – Published: 2018-10-10 18:57 – Updated: 2021-09-16 19:58Affected versions of tough-cookie may be vulnerable to regular expression denial of service when long strings of semicolons exist in the Set-Cookie header.
Recommendation
Update to version 2.3.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tough-cookie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-1000232"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:52:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Affected versions of `tough-cookie` may be vulnerable to regular expression denial of service when long strings of semicolons exist in the `Set-Cookie` header.\n\n\n## Recommendation\n\nUpdate to version 2.3.0 or later.",
"id": "GHSA-qhv9-728r-6jqg",
"modified": "2021-09-16T19:58:53Z",
"published": "2018-10-10T18:57:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000232"
},
{
"type": "WEB",
"url": "https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae"
},
{
"type": "WEB",
"url": "https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2016:2101"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2912"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2016-1000232"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-qhv9-728r-6jqg"
},
{
"type": "PACKAGE",
"url": "https://github.com/salesforce/tough-cookie"
},
{
"type": "WEB",
"url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/130"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ReDoS via long string of semicolons in tough-cookie"
}
GHSA-QJM7-55VV-3C5F
Vulnerability from github – Published: 2023-01-18 03:31 – Updated: 2026-02-17 22:04A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/spintax.js. The manipulation of the argument text leads to inefficient regular expression complexity. The name of the patch is 37767617846e27b87b63004e30216e8f919637d3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218456.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "mel-spintax"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25077"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-20T23:35:16Z",
"nvd_published_at": "2023-01-18T01:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the file `lib/spintax.js`. The manipulation of the argument text leads to inefficient regular expression complexity. The name of the patch is 37767617846e27b87b63004e30216e8f919637d3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218456.",
"id": "GHSA-qjm7-55vv-3c5f",
"modified": "2026-02-17T22:04:14Z",
"published": "2023-01-18T03:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25077"
},
{
"type": "WEB",
"url": "https://github.com/melnaron/mel-spintax/commit/37767617846e27b87b63004e30216e8f919637d3"
},
{
"type": "PACKAGE",
"url": "https://github.com/melnaron/mel-spintax"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.218456"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "mel-spintax has Inefficient Regular Expression Complexity"
}
GHSA-QJVX-7F9V-7WFV
Vulnerability from github – Published: 2024-06-06 21:30 – Updated: 2024-06-06 21:30kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes the application to consume an excessive amount of CPU resources. This vulnerability affects the latest version of kubeflow/kubeflow, specifically within the centraldashboard-angular backend component. The impact of exploiting this vulnerability includes resource exhaustion, and service disruption.
{
"affected": [],
"aliases": [
"CVE-2024-5552"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-06T19:16:09Z",
"severity": "HIGH"
},
"details": "kubeflow/kubeflow is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to inefficient regular expression complexity in its email validation mechanism. An attacker can remotely exploit this vulnerability without authentication by providing specially crafted input that causes the application to consume an excessive amount of CPU resources. This vulnerability affects the latest version of kubeflow/kubeflow, specifically within the centraldashboard-angular backend component. The impact of exploiting this vulnerability includes resource exhaustion, and service disruption.",
"id": "GHSA-qjvx-7f9v-7wfv",
"modified": "2024-06-06T21:30:38Z",
"published": "2024-06-06T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5552"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/0c1d6432-f385-4c54-beea-9f8c677def5b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QMPF-C66X-M579
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-26 21:30HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
{
"affected": [],
"aliases": [
"CVE-2020-26307"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-26T21:15:13Z",
"severity": "HIGH"
},
"details": "HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
"id": "GHSA-qmpf-c66x-m579",
"modified": "2024-10-26T21:30:46Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26307"
},
{
"type": "WEB",
"url": "https://github.com/kates/html2markdown/issues/13"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-301-redos-HTML2Markdown"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-QQ3J-4F4F-9583
Vulnerability from github – Published: 2025-05-19 12:30 – Updated: 2025-09-25 21:06A Regular Expression Denial of Service (ReDoS) exists in the preprocess_string() function of the transformers.testing_utils module. In versions before 4.50.0, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to preprocess_string() (or code paths that call it) can force excessive CPU usage and degrade availability.
Fix: released in 4.50.0, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])
- Affected:
< 4.50.0 - Patched:
4.50.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.50.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2099"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-19T21:53:36Z",
"nvd_published_at": "2025-05-19T12:15:19Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions **before 4.50.0**, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to `preprocess_string()` (or code paths that call it) can force excessive CPU usage and degrade availability.\n\n**Fix:** released in **4.50.0**, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])\n\n* **Affected:** `\u003c 4.50.0`\n* **Patched:** `4.50.0`",
"id": "GHSA-qq3j-4f4f-9583",
"modified": "2025-09-25T21:06:38Z",
"published": "2025-05-19T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2099"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/pull/36648"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Hugging Face Transformers Regular Expression Denial of Service"
}
GHSA-QRPW-GJVH-X5GM
Vulnerability from github – Published: 2026-05-13 15:30 – Updated: 2026-06-09 02:01Impact
Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag.
Patches
A general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.
Workarounds
No known workaround has been identified at this time.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a2"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44796"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:30:53Z",
"nvd_published_at": "2026-05-28T18:16:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nNautobot UI object-bulk-rename endpoints (for example, `/dcim/interfaces/rename/`) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the `find` field in combination with the `use_regex` flag.\n\n### Patches\n\nA general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.\n\n### Workarounds\n\nNo known workaround has been identified at this time.\n\n### References\n\n- 2.4.33 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee\"\u003epatch\u003c/a\u003e)\n- 3.1.2 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd\"\u003epatch\u003c/a\u003e)",
"id": "GHSA-qrpw-gjvh-x5gm",
"modified": "2026-06-09T02:01:07Z",
"published": "2026-05-13T15:30:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44796"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/nautobot/nautobot"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)"
}
GHSA-QRRR-VQV8-9HCW
Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2024-04-04 07:21An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
{
"affected": [],
"aliases": [
"CVE-2023-3210"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-01T11:15:42Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.",
"id": "GHSA-qrrr-vqv8-9hcw",
"modified": "2024-04-04T07:21:21Z",
"published": "2023-09-01T12:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3210"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2011474"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415074"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRW5-5H28-6CMG
Vulnerability from github – Published: 2022-10-16 12:00 – Updated: 2024-09-20 15:34In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.1"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41323"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-18T17:10:24Z",
"nvd_published_at": "2022-10-16T06:15:00Z",
"severity": "HIGH"
},
"details": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. ",
"id": "GHSA-qrw5-5h28-6cmg",
"modified": "2024-09-20T15:34:48Z",
"published": "2022-10-16T12:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41323"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/9d656ea51d9ea7105c0c0785783ac29d426a7d25"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.0/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-304.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221124-0001"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django denial-of-service vulnerability in internationalized URLs"
}
GHSA-QV66-F876-VJVR
Vulnerability from github – Published: 2023-01-11 15:30 – Updated: 2023-01-19 16:35A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The name of the patch is 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "skeemas"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25074"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-11T21:52:46Z",
"nvd_published_at": "2023-01-11T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The name of the patch is 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003.",
"id": "GHSA-qv66-f876-vjvr",
"modified": "2023-01-19T16:35:20Z",
"published": "2023-01-11T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25074"
},
{
"type": "WEB",
"url": "https://github.com/Prestaul/skeemas/commit/65e94eda62dc8dc148ab3e59aa2ccc086ac448fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/Prestaul/skeemas"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.218003"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.218003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "skeemas Inefficient Regular Expression Complexity vulnerability"
}
GHSA-QW3F-W4PF-JH5F
Vulnerability from github – Published: 2022-06-01 00:00 – Updated: 2023-08-24 20:25We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tika:tika-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.17"
},
{
"fixed": "1.28.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-30973"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-03T22:18:15Z",
"nvd_published_at": "2022-05-31T14:15:00Z",
"severity": "MODERATE"
},
"details": "We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.",
"id": "GHSA-qw3f-w4pf-jh5f",
"modified": "2023-08-24T20:25:40Z",
"published": "2022-06-01T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30973"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/commit/e76302196ebcafb7b51fce37fbe8256e6c0fbc51"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rpjm-422r-95mh"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tika"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220722-0004"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/05/31/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/06/27/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular expression denial of service in apache tika"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.