CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-WRXC-QW43-C96X
Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2025-03-31 15:30Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package.
{
"affected": [],
"aliases": [
"CVE-2023-0881"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T14:15:18Z",
"severity": "HIGH"
},
"details": "Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package.",
"id": "GHSA-wrxc-qw43-c96x",
"modified": "2025-03-31T15:30:48Z",
"published": "2025-03-31T15:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0881"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2006397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWHV-WXV9-RPGW
Vulnerability from github – Published: 2024-10-15 23:35 – Updated: 2024-12-02 19:53There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.
Impact
Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2
Credits
Thanks to ooooooo_q for the report!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.1.7.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0"
},
{
"fixed": "7.2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47888"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-15T23:35:36Z",
"nvd_published_at": "2024-10-16T21:15:13Z",
"severity": "MODERATE"
},
"details": "There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.\n\nImpact\n------\n\nCarefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2\n\nCredits\n-------\n\nThanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!",
"id": "GHSA-wwhv-wxv9-rpgw",
"modified": "2024-12-02T19:53:42Z",
"published": "2024-10-15T23:35:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text"
}
GHSA-WWR9-4GMR-XVQ9
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 19:44A vulnerability in the /3/Parse endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "h2o"
},
"ranges": [
{
"events": [
{
"introduced": "3.30.0.7"
},
{
"last_affected": "3.46.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ai.h2o:h2o-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.30.0.7"
},
{
"last_affected": "3.46.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-10549"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-20T19:44:43Z",
"nvd_published_at": "2025-03-20T10:15:17Z",
"severity": "HIGH"
},
"details": "A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.",
"id": "GHSA-wwr9-4gmr-xvq9",
"modified": "2025-03-20T19:44:43Z",
"published": "2025-03-20T12:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10549"
},
{
"type": "PACKAGE",
"url": "https://github.com/h2oai/h2o-3"
},
{
"type": "WEB",
"url": "https://github.com/h2oai/h2o-3/blob/51c25940ded8b7d0acc8f3f72329fd9dedbb3a34/h2o-core/src/main/java/water/api/ParseHandler.java#L80"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint"
}
GHSA-WX3G-P9W5-PP6M
Vulnerability from github – Published: 2024-06-13 00:31 – Updated: 2024-06-13 00:31An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
{
"affected": [],
"aliases": [
"CVE-2024-1963"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T23:15:49Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab\u0027s Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.",
"id": "GHSA-wx3g-p9w5-pp6m",
"modified": "2024-06-13T00:31:23Z",
"published": "2024-06-13T00:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1963"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2376482"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443577"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXGH-8GMR-3QH3
Vulnerability from github – Published: 2023-01-07 18:30 – Updated: 2023-01-12 23:43A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "terminal-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4306"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T23:43:03Z",
"nvd_published_at": "2023-01-07T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.",
"id": "GHSA-wxgh-8gmr-3qh3",
"modified": "2023-01-12T23:43:03Z",
"published": "2023-01-07T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4306"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/terminal-kit/commit/a2e446cc3927b559d0281683feb9b821e83b758c"
},
{
"type": "PACKAGE",
"url": "https://github.com/cronvel/terminal-kit"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/terminal-kit/releases/tag/v2.1.8"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217620"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217620"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "terminal-kit Inefficient Regular Expression Complexity vulnerability"
}
GHSA-WXHQ-PM8V-CW75
Vulnerability from github – Published: 2019-06-05 20:50 – Updated: 2020-08-31 18:35Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Recommendation
Upgrade to version 4.1.11 or higher.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "clean-css"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-05T20:49:47Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Version of `clean-css` prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 4.1.11 or higher.",
"id": "GHSA-wxhq-pm8v-cw75",
"modified": "2020-08-31T18:35:40Z",
"published": "2019-06-05T20:50:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/785"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Regular Expression Denial of Service in clean-css"
}
GHSA-X2V6-6Q9M-6QX9
Vulnerability from github – Published: 2023-09-29 09:30 – Updated: 2024-04-04 07:58An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.
{
"affected": [],
"aliases": [
"CVE-2023-3906"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-1333",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T07:15:13Z",
"severity": "LOW"
},
"details": "An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.",
"id": "GHSA-x2v6-6q9m-6qx9",
"modified": "2024-04-04T07:58:08Z",
"published": "2023-09-29T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3906"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2071411"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/419213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X38Q-XG2H-RXGX
Vulnerability from github – Published: 2021-09-23 23:14 – Updated: 2024-09-27 21:45Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.1"
},
"package": {
"ecosystem": "PyPI",
"name": "leo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-23478"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-23T16:37:27Z",
"nvd_published_at": "2021-09-22T20:15:00Z",
"severity": "HIGH"
},
"details": "Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.",
"id": "GHSA-x38q-xg2h-rxgx",
"modified": "2024-09-27T21:45:23Z",
"published": "2021-09-23T23:14:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23478"
},
{
"type": "WEB",
"url": "https://github.com/leo-editor/leo-editor/issues/1597"
},
{
"type": "WEB",
"url": "https://github.com/leo-editor/leo-editor/commit/029833689060ee73f1bc1708cf4b182f0c66ec8e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-x38q-xg2h-rxgx"
},
{
"type": "WEB",
"url": "https://github.com/leo-editor/leo-editor"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/leo/PYSEC-2021-338.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Regular Expression Denial of Service in Leo Editor"
}
GHSA-X3V3-8XG8-8V72
Vulnerability from github – Published: 2023-12-18 20:00 – Updated: 2023-12-28 22:03Impact
A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).
Applications that are using Sentry's Astro SDK are affected if:
- They're using Sentry instrumentation:
- they have manually registered Sentry Middleware (affected versions 7.78.0-7.86.0);
- or configured Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn’t disable the automatic server instrumentation (affected versions 7.82.0-7.86.0).
- They have configured routes with at least two path params (e.g.
/foo/[p1]/bar/[p2]).
Patches
The problem has been patched in @sentry/astro@7.87.0. The corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are: * disable auto instrumentation if you're using Astro 3.5.0 or newer * and remove the manually added Sentry middleware (if it was added before).
After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sentry/astro"
},
"ranges": [
{
"events": [
{
"introduced": "7.78.0"
},
{
"fixed": "7.87.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50249"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T20:00:55Z",
"nvd_published_at": "2023-12-20T14:15:21Z",
"severity": "HIGH"
},
"details": "### Impact\nA ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry\u0027s Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).\n\nApplications that are using Sentry\u0027s Astro SDK are affected if:\n\n1. They\u0027re using Sentry instrumentation:\n - they have [manually registered](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) Sentry Middleware (affected versions 7.78.0-7.86.0);\n - or [configured](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#configure-server-instrumentation) Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn\u2019t [disable the automatic server instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) (affected versions 7.82.0-7.86.0).\n2. They have configured routes with at least two path params (e.g. `/foo/[p1]/bar/[p2]`).\n\n### Patches\nThe problem has been patched in [@sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0).\nThe corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815\n\n### Workarounds\nWe strongly recommend upgrading to the latest SDK version. However, if it\u0027s not possible, the steps to mitigate the vulnerability without upgrade are:\n* [disable auto instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) if you\u0027re using Astro 3.5.0 or newer\n* and remove the manually added Sentry middleware (if it was [added](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) before).\n\nAfter these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can. \n\n### References\n* [Sentry docs: Manual Setup for Astro](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/)\n* [Release notes: sentry-javascript 7.87.0](https://github.com/getsentry/sentry-javascript/releases/tag/7.87.0)\n* [npm: @sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0)",
"id": "GHSA-x3v3-8xg8-8v72",
"modified": "2023-12-28T22:03:19Z",
"published": "2023-12-18T20:00:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50249"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/pull/9815"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"
},
{
"type": "WEB",
"url": "https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry-javascript"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@sentry/astro/v/7.87.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sentry\u0027s Astro SDK vulnerable to ReDoS"
}
GHSA-X4C5-C7RF-JJGV
Vulnerability from github – Published: 2025-02-14 17:56 – Updated: 2026-02-17 16:11Summary
By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.
Details
The issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:
headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
The regular expression /[\w-]+(?=-preview)/g encounters a backtracking issue when it processes a large number of characters followed by the - symbol.
e.g., the attack string:
"" + "A".repeat(100000) + "-"
PoC
The gist
Here is the reproduction process for the vulnerability:
1. run npm i @octokit/endpoint
2. Move poc.js to the root directory of the same level as README.md
3. run node poc.js
result:
4. then the program will be stuck forever with high CPU usage
import { endpoint } from "@octokit/endpoint";
// import { parse } from "./node_modules/@octokit/endpoint/dist-src/parse.js";
const options = {
method: "POST",
url: "/graphql", // Ensure that the URL ends with "/graphql"
headers: {
accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
"content-type": "text/plain",
},
mediaType: {
previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
format: "raw", // Optional media format
},
baseUrl: "https://api.github.com",
};
const startTime = performance.now();
endpoint.parse(options);
const endTime = performance.now();
const duration = endTime - startTime;
console.log(`Endpoint execution time: ${duration} ms`);
-
Import the
endpointmodule: First, import theendpointmodule from the npm package@octokit/endpoint, which is used for handling GitHub API requests. -
Construct the
optionsobject that triggers a ReDoS attack: The following member variables are critical in constructing theoptionsobject: url: Set to"/graphql", ensuring the URL ends with/graphqlto match the format for GitHub's GraphQL API.headers:accept: A long attack string is crafted with"A".repeat(100000) + "-", which will be passed to the regular expression and cause a backtracking attack (ReDoS).-
mediaType:previews: Set to["test-preview"], ensuringmediaType.previewsexists and has values.format: Set to"raw", indicating raw data format. -
Call the
endpoint.parse(options)function and record the time: Call theendpoint.parse(options)function and useperformance.now()to record the start and end times, measuring the execution duration. -
Calculate the time difference and output it: Compute the difference between the start and end times and output it using
console.log. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase.
Impact
What kind of vulnerability is it?
This is a Regular Expression Denial of Service (ReDoS) vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression /[\w-]+(?=-preview)/g is vulnerable because it attempts to match long strings of characters followed by a hyphen (-), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.
Who is impacted?
This vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking.
In addition to directly affecting applications using the @octokit/endpoint package, the impact is more widespread because @octokit/endpoint is a library used to wrap REST APIs, including GitHub's API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests.
Attackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of @octokit/endpoint.
Solution
To resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to (?<![\w-])[\w-]+(?=-preview), we prevent the issue.
Here is how this change solves the problem:
- Old Regular Expression:
/[\w-]+(?=-preview)/g - This regular expression matches any sequence of word characters (
\w) and hyphens (-) followed by-preview. - The issue arises when the regex engine encounters a long string of characters followed by a
-, causing excessive backtracking and high CPU usage. - New Regular Expression:
(?<![\w-])[\w-]+(?=-preview) - This updated regular expression uses a negative lookbehind
(?<![\w-]), ensuring that the matched string is not preceded by any word characters or hyphens (\wor-). - The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn't cause backtracking issues when processing long attack strings.
- By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.
Full Solution Example:
The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:
1. Update the Regular Expression: In the parse.ts file (or wherever the original regex is defined), replace the existing regular expression:
const previewsFromAcceptHeader =
headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
With the updated one:
const previewsFromAcceptHeader =
headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || ([] as string[]);
- Test the Change: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:
- The functionality remains correct and the expected matches still occur.
- The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.
- Deploy the Fix: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@octokit/endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.5"
},
{
"fixed": "9.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@octokit/endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25285"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-14T17:56:18Z",
"nvd_published_at": "2025-02-14T20:15:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nBy crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.\n\n### Details\nThe issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n```ts\nheaders.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nThe regular expression `/[\\w-]+(?=-preview)/g` encounters a backtracking issue when it processes `a large number of characters` followed by the `-` symbol.\ne.g., the attack string: \n```js\n\"\" + \"A\".repeat(100000) + \"-\"\n```\n\n### PoC\n[The gist](https://gist.github.com/ShiyuBanzhou/a17202ac1ad403a80ca302466d5e56c4)\nHere is the reproduction process for the vulnerability:\n1. run `npm i @octokit/endpoint`\n2. Move `poc.js` to the root directory of the same level as `README.md`\n3. run `node poc.js`\nresult:\n4. then the program will be stuck forever with high CPU usage\n```js\nimport { endpoint } from \"@octokit/endpoint\";\n// import { parse } from \"./node_modules/@octokit/endpoint/dist-src/parse.js\";\nconst options = { \n method: \"POST\",\n url: \"/graphql\", // Ensure that the URL ends with \"/graphql\"\n headers: {\n accept: \"\" + \"A\".repeat(100000) + \"-\", // Pass in the attack string\n \"content-type\": \"text/plain\",\n },\n mediaType: {\n previews: [\"test-preview\"], // Ensure that mediaType.previews exists and has values\n format: \"raw\", // Optional media format\n },\n baseUrl: \"https://api.github.com\",\n};\n\nconst startTime = performance.now();\nendpoint.parse(options);\nconst endTime = performance.now();\nconst duration = endTime - startTime;\nconsole.log(`Endpoint execution time: ${duration} ms`);\n```\n1. **Import the `endpoint` module**: First, import the `endpoint` module from the npm package `@octokit/endpoint`, which is used for handling GitHub API requests.\n\n2. **Construct the `options` object that triggers a ReDoS attack**: The following member variables are critical in constructing the `options` object:\n- `url`: Set to `\"/graphql\"`, ensuring the URL ends with `/graphql` to match the format for GitHub\u0027s GraphQL API.\n- `headers`:\n\u003e `accept`: A long attack string is crafted with `\"A\".repeat(100000) + \"-\"`, which will be passed to the regular expression and cause a backtracking attack (ReDoS).\n\u003e \n- `mediaType`:\n\u003e`previews`: Set to `[\"test-preview\"]`, ensuring `mediaType.previews` exists and has values.\n\u003e\n\u003e`format`: Set to `\"raw\"`, indicating raw data format.\n\n3. **Call the `endpoint.parse(options)` function and record the time**: Call the `endpoint.parse(options)` function and use `performance.now()` to record the start and end times, measuring the execution duration.\n\n4. **Calculate the time difference and output it**: Compute the difference between the start and end times and output it using `console.log`. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase.\n\u003cimg width=\"800\" alt=\"2\" src=\"https://github.com/user-attachments/assets/9fc865a4-e150-42d5-bcd5-93ab6b0c29ef\" /\u003e\n\n### Impact\n#### What kind of vulnerability is it?\nThis is a **Regular Expression Denial of Service (ReDoS)** vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression `/[\\w-]+(?=-preview)/g` is vulnerable because it attempts to match long strings of characters followed by a hyphen (`-`), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.\n#### Who is impacted?\nThis vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking.\nIn addition to directly affecting applications using the `@octokit/endpoint` package, the impact is more widespread because `@octokit/endpoint` is a library used to wrap REST APIs, including GitHub\u0027s API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests.\nAttackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of `@octokit/endpoint`.\n\n### Solution\nTo resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to `(?\u003c![\\w-])[\\w-]+(?=-preview)`, we prevent the issue.\nHere is how this change solves the problem:\n\n1. **Old Regular Expression**: `/[\\w-]+(?=-preview)/g`\n- This regular expression matches any sequence of word characters (`\\w`) and hyphens (`-`) followed by `-preview`.\n- The issue arises when the regex engine encounters a long string of characters followed by a `-`, causing excessive backtracking and high CPU usage.\n2. **New Regular Expression**: `(?\u003c![\\w-])[\\w-]+(?=-preview)`\n- This updated regular expression uses a negative lookbehind `(?\u003c![\\w-])`, ensuring that the matched string is not preceded by any word characters or hyphens (`\\w` or `-`).\n- The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn\u0027t cause backtracking issues when processing long attack strings.\n- By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.\n\n#### Full Solution Example:\nThe specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n1. **Update the Regular Expression**: In the `parse.ts` file (or wherever the original regex is defined), replace the existing regular expression:\n```ts\nconst previewsFromAcceptHeader =\n headers.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nWith the updated one:\n```ts\nconst previewsFromAcceptHeader =\n headers.accept.match(/(?\u003c![\\w-])[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\n\n2. **Test the Change**: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:\n- The functionality remains correct and the expected matches still occur.\n- The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.\n3. **Deploy the Fix**: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.",
"id": "GHSA-x4c5-c7rf-jjgv",
"modified": "2026-02-17T16:11:00Z",
"published": "2025-02-14T17:56:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
},
{
"type": "WEB",
"url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
},
{
"type": "PACKAGE",
"url": "https://github.com/octokit/endpoint.js"
},
{
"type": "WEB",
"url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.