CWE-185
Allowed-with-ReviewIncorrect Regular Expression
Abstraction: Class · Status: Draft
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
70 vulnerabilities reference this CWE, most recent first.
GHSA-MPCW-3J5P-P99X
Vulnerability from github – Published: 2024-10-24 18:27 – Updated: 2024-10-24 18:27Summary
Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.
Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.
Details
The parseJSON function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling eval, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.
However, the regex is imperfect, as was discovered earlier by Mike Samuel; specifically, the "cleaner" can be tricked into treating part of the input as a string that the "evaluator" does not, because of a difference in interpretation regarding the the Unicode zero-width joiner character. Representing that character with a visible symbol, a malicious input looks like:
"\�\", Packages.java.lang.Runtime.getRuntime().exec('gnome-calculator')) // "
This is understood...
- by
JSON_cleaning_REas a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds toeval. - by the
evalfunction, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.
The function call is evaluated, and a calculator is opened.
Possible mitigations and additional defenses could include:
- Replacing the JSON implementation with Rhino's built-in implementation.
- Dropping all JSON-related and JSONP-related code entirely.
- Restricting the access the JavaScript controller code has to the rest of the system by using
initSafeStandardObjectsinstead ofinitStandardObjects, usingsetClassShutter, and so on.
PoC
Change OpenRefine core controller.js to add a call to the vulnerable getJSON function:
diff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js
index 4ceba0676..1ce0936d2 100644
--- a/main/webapp/modules/core/MOD-INF/controller.js
+++ b/main/webapp/modules/core/MOD-INF/controller.js
@@ -631,0 +632,5 @@ function process(path, request, response) {
+ if (path == "getjsontest") {
+ butterfly.getJSON(request);
+ return true;
+ }
+
Then, restart OpenRefine and submit the malicious request. For example, the following bash command (with $' quoting) should do it:
curl -H 'Content-Type: application/json;charset=utf-8' --data $'"\\\u200d\\", Packages.java.lang.Runtime.getRuntime().exec(\'gnome-calculator\')) // "' http://localhost:3333/getjsontest
Impact
Any JavaScript controller that calls one of these functions is vulnerable to remote code execution.
OpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.openrefine.dependencies:butterfly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-24T18:27:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nUsage of the `Butterfly.prototype.parseJSON` or `getJSON` functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.\n\nSince Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.\n\n### Details\n\nThe `parseJSON` function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling `eval`, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.\n\nHowever, the regex is imperfect, as was [discovered earlier by Mike Samuel](https://dev.to/mikesamuel/2008-silently-securing-jsonparse-5cbb); specifically, the \"cleaner\" can be tricked into treating part of the input as a string that the \"evaluator\" does not, because of a difference in interpretation regarding the [the Unicode zero-width joiner character](https://unicode-explorer.com/c/200D). Representing that character with a visible symbol, a malicious input looks like:\n\n```js\n\"\\\ufffd\\\", Packages.java.lang.Runtime.getRuntime().exec(\u0027gnome-calculator\u0027)) // \"\n```\n\nThis is understood...\n\n* by `JSON_cleaning_RE` as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to `eval`.\n* by the `eval` function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.\n \nThe function call is evaluated, and a calculator is opened.\n\nPossible mitigations and additional defenses could include:\n\n* Replacing the JSON implementation with Rhino\u0027s built-in implementation.\n* Dropping all JSON-related and JSONP-related code entirely.\n* Restricting the access the JavaScript controller code has to the rest of the system by using `initSafeStandardObjects` instead of `initStandardObjects`, using `setClassShutter`, and so on.\n\n### PoC\n\nChange OpenRefine `core` `controller.js` to add a call to the vulnerable `getJSON` function:\n\n```diff\ndiff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js\nindex 4ceba0676..1ce0936d2 100644\n--- a/main/webapp/modules/core/MOD-INF/controller.js\n+++ b/main/webapp/modules/core/MOD-INF/controller.js\n@@ -631,0 +632,5 @@ function process(path, request, response) {\n+ if (path == \"getjsontest\") {\n+ butterfly.getJSON(request);\n+ return true;\n+ }\n+\n```\n\nThen, restart OpenRefine and submit the malicious request. For example, the following `bash` command (with $\u0027 quoting) should do it:\n\n```\ncurl -H \u0027Content-Type: application/json;charset=utf-8\u0027 --data $\u0027\"\\\\\\u200d\\\\\", Packages.java.lang.Runtime.getRuntime().exec(\\\u0027gnome-calculator\\\u0027)) // \"\u0027 http://localhost:3333/getjsontest\n```\n\n### Impact\n\nAny JavaScript controller that calls one of these functions is vulnerable to remote code execution.\n\nOpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.",
"id": "GHSA-mpcw-3j5p-p99x",
"modified": "2024-10-24T18:27:50Z",
"published": "2024-10-24T18:27:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-mpcw-3j5p-p99x"
},
{
"type": "WEB",
"url": "https://github.com/OpenRefine/simile-butterfly/commit/2ad1fa4cd8afe3c920c8e6e04fe7a7df5cf8294e"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenRefine/simile-butterfly"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Butterfly\u0027s parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)"
}
GHSA-MVF3-QJ92-4C7R
Vulnerability from github – Published: 2024-04-09 15:30 – Updated: 2025-02-07 21:30An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:
Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1
{
"affected": [],
"aliases": [
"CVE-2024-2223"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-697"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T13:15:33Z",
"severity": "HIGH"
},
"details": "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u00a0\n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for\u00a0 Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1",
"id": "GHSA-mvf3-qj92-4c7r",
"modified": "2025-02-07T21:30:51Z",
"published": "2024-04-09T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2223"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PCCM-W2W7-V4P2
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:57An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c does not restrict regular expression program size, leading to an overflow of the parsed syntax list size.
{
"affected": [],
"aliases": [
"CVE-2019-12798"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-13T17:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c does not restrict regular expression program size, leading to an overflow of the parsed syntax list size.",
"id": "GHSA-pccm-w2w7-v4p2",
"modified": "2024-04-04T00:57:18Z",
"published": "2022-05-24T16:48:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12798"
},
{
"type": "WEB",
"url": "http://git.ghostscript.com/?p=mujs.git%3Bh=7f50591861525f76e3ec7a63392656ff8c030af9"
},
{
"type": "WEB",
"url": "http://git.ghostscript.com/?p=mujs.git;h=7f50591861525f76e3ec7a63392656ff8c030af9"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108774"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PRCQ-52F8-FP44
Vulnerability from github – Published: 2022-05-17 05:19 – Updated: 2024-09-05 21:32Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-libcloud"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-3446"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-20",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-12T20:09:02Z",
"nvd_published_at": "2012-11-04T22:55:00Z",
"severity": "MODERATE"
},
"details": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
"id": "GHSA-prcq-52f8-fp44",
"modified": "2024-09-05T21:32:21Z",
"published": "2022-05-17T05:19:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3446"
},
{
"type": "WEB",
"url": "https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/libcloud"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-libcloud/PYSEC-2012-12.yaml"
},
{
"type": "WEB",
"url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES"
},
{
"type": "WEB",
"url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Libcloud vulnerable to certificate impersonation"
}
GHSA-PVFR-M224-2VM2
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2022-05-24 16:44An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators.
{
"affected": [],
"aliases": [
"CVE-2019-11391"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-21T02:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators.",
"id": "GHSA-pvfr-m224-2vm2",
"modified": "2022-05-24T16:44:03Z",
"published": "2022-05-24T16:44:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11391"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QCVW-82HH-GQ38
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2023-07-17 21:05Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "istio.io/istio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "istio.io/istio"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.0"
},
{
"fixed": "1.2.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-14993"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-17T21:05:13Z",
"nvd_published_at": "2019-08-13T18:15:00Z",
"severity": "HIGH"
},
"details": "Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.",
"id": "GHSA-qcvw-82hh-gq38",
"modified": "2023-07-17T21:05:13Z",
"published": "2022-05-24T16:53:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14993"
},
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/issues/7728"
},
{
"type": "WEB",
"url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"
},
{
"type": "WEB",
"url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"
},
{
"type": "WEB",
"url": "https://istio.io/blog/2019/istio-security-003-004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Istio ReDoS Vulnerability"
}
GHSA-QVJC-G5VR-MFGR
Vulnerability from github – Published: 2020-09-04 18:03 – Updated: 2025-06-16 14:03Versions of papaparse prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.
Recommendation
Upgrade to version 5.2.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "papaparse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36649"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2020-08-31T19:02:01Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 5.2.0 or later.",
"id": "GHSA-qvjc-g5vr-mfgr",
"modified": "2025-06-16T14:03:31Z",
"published": "2020-09-04T18:03:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36649"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/issues/777"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/pull/779"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621"
},
{
"type": "PACKAGE",
"url": "https://github.com/mholt/PapaParse"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/releases/tag/5.2.0"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-PAPAPARSE-564258"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.218004"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.218004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in papaparse"
}
GHSA-QW55-M3PM-VWHH
Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2022-05-24 16:44An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators.
{
"affected": [],
"aliases": [
"CVE-2019-11390"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-21T02:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators.",
"id": "GHSA-qw55-m3pm-vwhh",
"modified": "2022-05-24T16:44:02Z",
"published": "2022-05-24T16:44:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11390"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358"
},
{
"type": "WEB",
"url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R28V-MW67-M5P9
Vulnerability from github – Published: 2019-01-04 17:50 – Updated: 2024-09-18 19:45An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "2.0a1"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.11a1"
},
{
"fixed": "1.11.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.8a1"
},
{
"fixed": "1.8.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-7536"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:53:19Z",
"nvd_published_at": "2018-03-09T20:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The `django.utils.html.urlize()` function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The `urlize()` function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
"id": "GHSA-r28v-mw67-m5p9",
"modified": "2024-09-18T19:45:18Z",
"published": "2019-01-04T17:50:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7536"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2927"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0051"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0082"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:0265"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r28v-mw67-m5p9"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-5.yaml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3591-1"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227131019/http://www.securityfocus.com/bid/103361"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4161"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django denial-of-service possibility in urlize and urlizetrunc template filters"
}
GHSA-R354-F388-2FHH
Vulnerability from github – Published: 2026-01-27 19:01 – Updated: 2026-01-29 03:39Summary
IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.
Details
The vulnerability exists in two components:
- Permissive regex pattern: The
IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/)accepts octet values greater than 255 (e.g.,999). - Unsafe binary conversion: The
convertIPv4ToBinaryfunction does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.
For example, the IP address 1.2.2.355 is accepted and converts to the same binary value as 1.2.3.99:
355=256 + 99=0x163- After bit-shifting:
(1 << 24) + (2 << 16) + (2 << 8) + 355=0x01020363=1.2.3.99
Impact
An attacker can bypass IP-based restrictions by crafting malformed IP addresses:
- Blocklist bypass: If
1.2.3.0/24is blocked, an attacker can use1.2.2.355(or similar) to bypass the restriction. - Allowlist bypass: Requests from unauthorized IP ranges may be incorrectly permitted.
This is exploitable when the application relies on client-provided IP addresses (e.g., X-Forwarded-For header) for access control decisions.
Affected Components
- IP Restriction Middleware
src/utils/ipaddr.ts:IPV4_REGEX,convertIPv4ToBinary,distinctRemoteAddr
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "hono"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.11.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-24398"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-27T19:01:43Z",
"nvd_published_at": "2026-01-27T19:16:16Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nIP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.\n\n## Details\n\nThe vulnerability exists in two components:\n\n1. **Permissive regex pattern:** The `IPV4_REGEX (/^[0-9]{0,3}\\.[0-9]{0,3}\\.[0-9]{0,3}\\.[0-9]{0,3}$/)` accepts octet values greater than 255 (e.g., `999`).\n2. **Unsafe binary conversion:** The `convertIPv4ToBinary` function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.\n\nFor example, the IP address `1.2.2.355` is accepted and converts to the same binary value as 1.2.3.99:\n\n* `355` = `256 + 99` = `0x163`\n* After bit-shifting: `(1 \u003c\u003c 24) + (2 \u003c\u003c 16) + (2 \u003c\u003c 8) + 355` = `0x01020363` = `1.2.3.99`\n\n## Impact\n\nAn attacker can bypass IP-based restrictions by crafting malformed IP addresses:\n\n* **Blocklist bypass:** If `1.2.3.0/24` is blocked, an attacker can use `1.2.2.355` (or similar) to bypass the restriction.\n* **Allowlist bypass:** Requests from unauthorized IP ranges may be incorrectly permitted.\n\nThis is exploitable when the application relies on client-provided IP addresses (e.g., `X-Forwarded-For header`) for access control decisions.\n\n## Affected Components\n\n* IP Restriction Middleware\n* `src/utils/ipaddr.ts`: `IPV4_REGEX`, `convertIPv4ToBinary`, `distinctRemoteAddr`",
"id": "GHSA-r354-f388-2fhh",
"modified": "2026-01-29T03:39:00Z",
"published": "2026-01-27T19:01:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24398"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37"
},
{
"type": "PACKAGE",
"url": "https://github.com/honojs/hono"
},
{
"type": "WEB",
"url": "https://github.com/honojs/hono/releases/tag/v4.11.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing"
}
Mitigation MIT-45
Strategy: Refactoring
Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-79: Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.