CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
CVE-2025-6492 (GCVE-0-2025-6492)
Vulnerability from cvelistv5 – Published: 2025-06-22 20:00 – Updated: 2025-06-23 16:33| URL | Tags |
|---|---|
| https://vuldb.com/?id.313609 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.313609 | signaturepermissions-required |
| https://vuldb.com/?submit.598208 | third-party-advisory |
| https://github.com/marktext/marktext/pull/3952 | issue-tracking |
| https://github.com/mmmsssttt404/marktext/blob/c59… | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T16:33:38.178757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T16:33:52.463Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MarkText",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.17.0"
},
{
"status": "affected",
"version": "0.17.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in MarkText up to 0.17.1 and classified as problematic. Affected by this vulnerability is the function getRecommendTitleFromMarkdownString of the file marktext/src/main/utils/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In MarkText bis 0.17.1 wurde eine Schwachstelle gefunden. Sie wurde als problematisch eingestuft. Hierbei betrifft es die Funktion getRecommendTitleFromMarkdownString der Datei marktext/src/main/utils/index.js. Durch Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-22T20:00:14.265Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-313609 | MarkText index.js getRecommendTitleFromMarkdownString redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.313609"
},
{
"name": "VDB-313609 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.313609"
},
{
"name": "Submit #598208 | marktext 0.17.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.598208"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/marktext/marktext/pull/3952"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/mmmsssttt404/marktext/blob/c59b3ad423dfa082869933baf9f5d5c69bdcc560/test/unit/specs/match-electron-accelerator.spec.js#L155-L164"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-22T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-22T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-22T08:10:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "MarkText index.js getRecommendTitleFromMarkdownString redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-6492",
"datePublished": "2025-06-22T20:00:14.265Z",
"dateReserved": "2025-06-22T06:05:35.463Z",
"dateUpdated": "2025-06-23T16:33:52.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6069 (GCVE-0-2025-6069)
Vulnerability from cvelistv5 – Published: 2025-06-17 13:39 – Updated: 2026-04-21 20:17- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| Python Software Foundation | CPython |
Affected:
0 , < 3.10.19
(python)
Affected: 3.11.0 , < 3.11.14 (python) Affected: 3.12.0 , < 3.12.12 (python) Affected: 3.13.0 , < 3.13.6 (python) Affected: 3.14.0a1 , < 3.14.0b3 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T13:58:28.646020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:58:41.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"html.parser"
],
"product": "CPython",
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"versions": [
{
"lessThan": "3.10.19",
"status": "affected",
"version": "0",
"versionType": "python"
},
{
"lessThan": "3.11.14",
"status": "affected",
"version": "3.11.0",
"versionType": "python"
},
{
"lessThan": "3.12.12",
"status": "affected",
"version": "3.12.0",
"versionType": "python"
},
{
"lessThan": "3.13.6",
"status": "affected",
"version": "3.13.0",
"versionType": "python"
},
{
"lessThan": "3.14.0b3",
"status": "affected",
"version": "3.14.0a1",
"versionType": "python"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Serhiy Storchaka"
},
{
"lang": "en",
"type": "reporter",
"value": "Jake Howard"
},
{
"lang": "en",
"type": "finder",
"value": "sw0rd1ight"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service."
}
],
"value": "The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:17:13.876Z",
"orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"shortName": "PSF"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/python/cpython/issues/135462"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/pull/135464"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HTMLParser quadratic complexity when processing malformed inputs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
"assignerShortName": "PSF",
"cveId": "CVE-2025-6069",
"datePublished": "2025-06-17T13:39:46.058Z",
"dateReserved": "2025-06-13T14:05:15.473Z",
"dateUpdated": "2026-04-21T20:17:13.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6051 (GCVE-0-2025-6051)
Vulnerability from cvelistv5 – Published: 2025-09-14 17:03 – Updated: 2025-09-15 15:59- CWE-1333 - Inefficient Regular Expression Complexity
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.53.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6051",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T15:59:46.280744Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T15:59:54.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.53.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method\u0027s handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-14T17:03:02.953Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d"
},
{
"url": "https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0"
}
],
"source": {
"advisory": "af929523-7b59-418a-bf55-301830b2ac9d",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-6051",
"datePublished": "2025-09-14T17:03:02.953Z",
"dateReserved": "2025-06-13T10:39:33.128Z",
"dateUpdated": "2025-09-15T15:59:54.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5897 (GCVE-0-2025-5897)
Vulnerability from cvelistv5 – Published: 2025-06-09 21:00 – Updated: 2025-06-10 15:29| URL | Tags |
|---|---|
| https://vuldb.com/?id.311669 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.311669 | signaturepermissions-required |
| https://vuldb.com/?submit.585798 | third-party-advisory |
| https://github.com/vuejs/vue-cli/pull/7478 | issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5897",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:22:17.991193Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:29:58.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vuejs/vue-cli/pull/7478"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Markdown Code Handler"
],
"product": "vue-cli",
"vendor": "vuejs",
"versions": [
{
"status": "affected",
"version": "5.0.0"
},
{
"status": "affected",
"version": "5.0.1"
},
{
"status": "affected",
"version": "5.0.2"
},
{
"status": "affected",
"version": "5.0.3"
},
{
"status": "affected",
"version": "5.0.4"
},
{
"status": "affected",
"version": "5.0.5"
},
{
"status": "affected",
"version": "5.0.6"
},
{
"status": "affected",
"version": "5.0.7"
},
{
"status": "affected",
"version": "5.0.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in vuejs vue-cli bis 5.0.8 ausgemacht. Sie wurde als problematisch eingestuft. Hierbei geht es um die Funktion HtmlPwaPlugin der Datei packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js der Komponente Markdown Code Handler. Mittels Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:T/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:T/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:TF/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T21:00:17.023Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311669 | vuejs vue-cli Markdown Code HtmlPwaPlugin.js HtmlPwaPlugin redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311669"
},
{
"name": "VDB-311669 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311669"
},
{
"name": "Submit #585798 | vue 3.5.15 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585798"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/vuejs/vue-cli/pull/7478"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T09:07:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "vuejs vue-cli Markdown Code HtmlPwaPlugin.js HtmlPwaPlugin redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5897",
"datePublished": "2025-06-09T21:00:17.023Z",
"dateReserved": "2025-06-09T07:02:15.578Z",
"dateUpdated": "2025-06-10T15:29:58.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5896 (GCVE-0-2025-5896)
Vulnerability from cvelistv5 – Published: 2025-06-09 20:31 – Updated: 2025-06-10 15:30| URL | Tags |
|---|---|
| https://vuldb.com/?id.311668 | vdb-entry |
| https://vuldb.com/?ctiid.311668 | signaturepermissions-required |
| https://vuldb.com/?submit.585796 | third-party-advisory |
| https://github.com/NervJS/taro/pull/17619 | issue-tracking |
| https://github.com/NervJS/taro/commit/c2e321a8b6f… | patch |
| https://github.com/NervJS/taro/releases/tag/v4.1.2 | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5896",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:23:00.785444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:17.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NervJS/taro/pull/17619"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "taro",
"vendor": "tarojs",
"versions": [
{
"status": "affected",
"version": "4.1.0"
},
{
"status": "affected",
"version": "4.1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "In tarojs taro bis 4.1.1 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei taro/packages/css-to-react-native/src/index.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Ein Aktualisieren auf die Version 4.1.2 vermag dieses Problem zu l\u00f6sen. Der Patch wird als c2e321a8b6fc873427c466c69f41ed0b5e8814bf bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:31:07.141Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311668 | tarojs taro index.js redos",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.311668"
},
{
"name": "VDB-311668 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311668"
},
{
"name": "Submit #585796 | @tarojs/taro 4.1.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585796"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/NervJS/taro/pull/17619"
},
{
"tags": [
"patch"
],
"url": "https://github.com/NervJS/taro/commit/c2e321a8b6fc873427c466c69f41ed0b5e8814bf"
},
{
"tags": [
"patch"
],
"url": "https://github.com/NervJS/taro/releases/tag/v4.1.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:58:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "tarojs taro index.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5896",
"datePublished": "2025-06-09T20:31:07.141Z",
"dateReserved": "2025-06-09T06:53:29.593Z",
"dateUpdated": "2025-06-10T15:30:17.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5895 (GCVE-0-2025-5895)
Vulnerability from cvelistv5 – Published: 2025-06-09 20:00 – Updated: 2025-06-10 15:30| URL | Tags |
|---|---|
| https://vuldb.com/?id.311667 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.311667 | signaturepermissions-required |
| https://vuldb.com/?submit.585795 | third-party-advisory |
| https://github.com/metabase/metabase/pull/57011 | issue-tracking |
| https://github.com/metabase/metabase/pull/57011#p… | exploitissue-tracking |
| https://github.com/metabase/metabase/commit/4454e… | patch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5895",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:23:31.679790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:32.919Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/metabase/metabase/pull/57011"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Metabase",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "54.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in Metabase 54.10 ausgemacht. Sie wurde als problematisch eingestuft. Es geht dabei um die Funktion parseDataUri der Datei frontend/src/metabase/lib/dom.js. Durch Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Der Patch wird als 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:00:19.261Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311667 | Metabase dom.js parseDataUri redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311667"
},
{
"name": "VDB-311667 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311667"
},
{
"name": "Submit #585795 | metabase @metabase 54.10 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585795"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/metabase/metabase/pull/57011"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135"
},
{
"tags": [
"patch"
],
"url": "https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:52:20.000Z",
"value": "VulDB entry last update"
}
],
"title": "Metabase dom.js parseDataUri redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5895",
"datePublished": "2025-06-09T20:00:19.261Z",
"dateReserved": "2025-06-09T06:47:00.425Z",
"dateUpdated": "2025-06-10T15:30:32.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5892 (GCVE-0-2025-5892)
Vulnerability from cvelistv5 – Published: 2025-06-09 19:31 – Updated: 2025-06-09 20:01| URL | Tags |
|---|---|
| https://vuldb.com/?id.311663 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.311663 | signaturepermissions-required |
| https://vuldb.com/?submit.585751 | third-party-advisory |
| https://github.com/RocketChat/Rocket.Chat/pull/35711 | issue-tracking |
| https://gist.github.com/mmmsssttt404/0fcda3b3e85e… | exploit |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | RocketChat |
Affected:
7.6.0
Affected: 7.6.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5892",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T20:00:15.331917Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T20:01:00.258Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/RocketChat/Rocket.Chat/pull/35711"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "RocketChat",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "7.6.0"
},
{
"status": "affected",
"version": "7.6.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument line leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in RocketChat bis 7.6.1 entdeckt. Sie wurde als problematisch eingestuft. Betroffen davon ist die Funktion parseMessage der Datei /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. Dank der Manipulation des Arguments line mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:T/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:T/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:TF/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T19:31:05.464Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311663 | RocketChat parseMessage.js parseMessage redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311663"
},
{
"name": "VDB-311663 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311663"
},
{
"name": "Submit #585751 | @rocket.chat 7.6.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585751"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/RocketChat/Rocket.Chat/pull/35711"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/mmmsssttt404/0fcda3b3e85edafc4eaa6816aa252deb"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:39:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "RocketChat parseMessage.js parseMessage redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5892",
"datePublished": "2025-06-09T19:31:05.464Z",
"dateReserved": "2025-06-09T06:34:22.713Z",
"dateUpdated": "2025-06-09T20:01:00.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5891 (GCVE-0-2025-5891)
Vulnerability from cvelistv5 – Published: 2025-06-09 19:00 – Updated: 2025-06-09 19:46| URL | Tags |
|---|---|
| https://vuldb.com/?id.311662 | vdb-entry |
| https://vuldb.com/?ctiid.311662 | signaturepermissions-required |
| https://vuldb.com/?submit.585750 | third-party-advisory |
| https://github.com/Unitech/pm2/pull/5971 | issue-tracking |
| https://gist.github.com/mmmsssttt404/407e2ffe3e0e… | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T19:25:05.586805Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T19:46:05.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Unitech/pm2/pull/5971"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pm2",
"vendor": "Unitech",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"status": "affected",
"version": "6.0.1"
},
{
"status": "affected",
"version": "6.0.2"
},
{
"status": "affected",
"version": "6.0.3"
},
{
"status": "affected",
"version": "6.0.4"
},
{
"status": "affected",
"version": "6.0.5"
},
{
"status": "affected",
"version": "6.0.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "In Unitech pm2 bis 6.0.6 wurde eine Schwachstelle entdeckt. Sie wurde als problematisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /lib/tools/Config.js. Durch Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:T/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:T/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:TF/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T19:00:16.482Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311662 | Unitech pm2 Config.js redos",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.311662"
},
{
"name": "VDB-311662 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311662"
},
{
"name": "Submit #585750 | pm2 6.0.6 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585750"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/Unitech/pm2/pull/5971"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:33:37.000Z",
"value": "VulDB entry last update"
}
],
"title": "Unitech pm2 Config.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5891",
"datePublished": "2025-06-09T19:00:16.482Z",
"dateReserved": "2025-06-09T06:28:34.348Z",
"dateUpdated": "2025-06-09T19:46:05.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5890 (GCVE-0-2025-5890)
Vulnerability from cvelistv5 – Published: 2025-06-09 18:31 – Updated: 2025-06-09 18:44| URL | Tags |
|---|---|
| https://vuldb.com/?id.311661 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.311661 | signaturepermissions-required |
| https://vuldb.com/?submit.585727 | third-party-advisory |
| https://github.com/actions/toolkit/pull/2057 | issue-tracking |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T18:43:32.965701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T18:44:14.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"glob"
],
"product": "toolkit",
"vendor": "actions",
"versions": [
{
"status": "affected",
"version": "0.5.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in actions toolkit 0.5.0. This affects the function globEscape of the file toolkit/packages/glob/src/internal-pattern.ts of the component glob. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in actions toolkit 0.5.0 entdeckt. Sie wurde als problematisch eingestuft. Hiervon betroffen ist die Funktion globEscape der Datei toolkit/packages/glob/src/internal-pattern.ts der Komponente glob. Durch das Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:T/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:T/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:TF/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T18:31:05.291Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311661 | actions toolkit glob internal-pattern.ts globEscape redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311661"
},
{
"name": "VDB-311661 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311661"
},
{
"name": "Submit #585727 | @actions @actions/glob 0.5.0 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585727"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/actions/toolkit/pull/2057"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-09T08:31:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "actions toolkit glob internal-pattern.ts globEscape redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5890",
"datePublished": "2025-06-09T18:31:05.291Z",
"dateReserved": "2025-06-09T06:26:03.869Z",
"dateUpdated": "2025-06-09T18:44:14.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5889 (GCVE-0-2025-5889)
Vulnerability from cvelistv5 – Published: 2025-06-09 18:16 – Updated: 2025-06-11 10:39| URL | Tags |
|---|---|
| https://vuldb.com/?id.311660 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.311660 | signaturepermissions-required |
| https://vuldb.com/?submit.585717 | third-party-advisory |
| https://gist.github.com/mmmsssttt404/37a40ce7d6e5… | exploit |
| https://github.com/juliangruber/brace-expansion/p… | issue-trackingpatch |
| https://github.com/juliangruber/brace-expansion/r… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| juliangruber | brace-expansion |
Affected:
1.1.0
Affected: 1.1.1 Affected: 1.1.2 Affected: 1.1.3 Affected: 1.1.4 Affected: 1.1.5 Affected: 1.1.6 Affected: 1.1.7 Affected: 1.1.8 Affected: 1.1.9 Affected: 1.1.10 Affected: 1.1.11 Affected: 2.0.0 Affected: 2.0.1 Affected: 3.0 Affected: 4.0 Unaffected: 1.1.12 Unaffected: 2.0.2 Unaffected: 3.0.1 Unaffected: 4.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5889",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T18:45:24.910231Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T18:45:54.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "brace-expansion",
"vendor": "juliangruber",
"versions": [
{
"status": "affected",
"version": "1.1.0"
},
{
"status": "affected",
"version": "1.1.1"
},
{
"status": "affected",
"version": "1.1.2"
},
{
"status": "affected",
"version": "1.1.3"
},
{
"status": "affected",
"version": "1.1.4"
},
{
"status": "affected",
"version": "1.1.5"
},
{
"status": "affected",
"version": "1.1.6"
},
{
"status": "affected",
"version": "1.1.7"
},
{
"status": "affected",
"version": "1.1.8"
},
{
"status": "affected",
"version": "1.1.9"
},
{
"status": "affected",
"version": "1.1.10"
},
{
"status": "affected",
"version": "1.1.11"
},
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "affected",
"version": "2.0.1"
},
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "4.0"
},
{
"status": "unaffected",
"version": "1.1.12"
},
{
"status": "unaffected",
"version": "2.0.2"
},
{
"status": "unaffected",
"version": "3.0.1"
},
{
"status": "unaffected",
"version": "4.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
},
{
"lang": "en",
"type": "analyst",
"value": "tgerbet_enalean (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Eine problematische Schwachstelle wurde in juliangruber brace-expansion bis 1.1.11/2.0.1/3.0.0/4.0.0 ausgemacht. Davon betroffen ist die Funktion expand der Datei index.js. Durch Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie ist schwierig ausnutzbar. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 vermag dieses Problem zu l\u00f6sen. Der Patch wird als a5b98a4f30d7813266b221435e1eaaf25a1b0ac5 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.1,
"vectorString": "AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T10:39:58.114Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-311660 | juliangruber brace-expansion index.js expand redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.311660"
},
{
"name": "VDB-311660 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.311660"
},
{
"name": "Submit #585717 | juliangruber @juliangruber/brace-expansion 1.1.11 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.585717"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5"
},
{
"tags": [
"patch"
],
"url": "https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-06-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-06-11T12:37:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "juliangruber brace-expansion index.js expand redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-5889",
"datePublished": "2025-06-09T18:16:01.889Z",
"dateReserved": "2025-06-09T06:19:24.886Z",
"dateUpdated": "2025-06-11T10:39:58.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.