CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-4X5V-GMQ8-25CH
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2023-07-19 19:58An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "semver-regex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "semver-regex"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43307"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-03T22:26:33Z",
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "LOW"
},
"details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method",
"id": "GHSA-4x5v-gmq8-25ch",
"modified": "2023-07-19T19:58:13Z",
"published": "2022-06-03T00:01:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43307"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c"
},
{
"type": "PACKAGE",
"url": "https://github.com/sindresorhus/semver-regex"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Regular expression denial of service in semver-regex"
}
GHSA-4XQQ-73WG-5MJP
Vulnerability from github – Published: 2023-05-15 06:30 – Updated: 2023-06-06 18:45giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "git-url-parse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-32758"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-15T20:51:51Z",
"nvd_published_at": "2023-05-15T04:15:10Z",
"severity": "HIGH"
},
"details": "giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package\u0027s author placed a ReDoS attack payload in a URL used by the package.",
"id": "GHSA-4xqq-73wg-5mjp",
"modified": "2023-06-06T18:45:42Z",
"published": "2023-05-15T06:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32758"
},
{
"type": "WEB",
"url": "https://github.com/returntocorp/semgrep/pull/7611"
},
{
"type": "WEB",
"url": "https://github.com/returntocorp/semgrep/pull/7943"
},
{
"type": "WEB",
"url": "https://github.com/returntocorp/semgrep/pull/7955"
},
{
"type": "PACKAGE",
"url": "https://github.com/coala/git-url-parse"
},
{
"type": "WEB",
"url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"
},
{
"type": "WEB",
"url": "https://pypi.org/project/git-url-parse"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "git-url-parse Regular Expression Denial of Service"
}
GHSA-5239-WWWM-4PMQ
Vulnerability from github – Published: 2026-03-22 06:30 – Updated: 2026-03-30 14:40A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Pygments"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.20.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4539"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T20:33:39Z",
"nvd_published_at": "2026-03-22T06:16:20Z",
"severity": "LOW"
},
"details": "A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-5239-wwwm-4pmq",
"modified": "2026-03-30T14:40:28Z",
"published": "2026-03-22T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4539"
},
{
"type": "WEB",
"url": "https://github.com/pygments/pygments/issues/3058"
},
{
"type": "WEB",
"url": "https://github.com/pygments/pygments/pull/3064"
},
{
"type": "WEB",
"url": "https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc"
},
{
"type": "PACKAGE",
"url": "https://github.com/pygments/pygments"
},
{
"type": "WEB",
"url": "https://github.com/pygments/pygments/releases/tag/2.20.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.352327"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.352327"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.774685"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"
}
GHSA-54RR-7FVW-6X8F
Vulnerability from github – Published: 2024-02-28 22:57 – Updated: 2024-02-29 02:30Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146.
Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 2-0-header-redos.patch - Patch for 2.0 series
- 2-1-header-redos.patch - Patch for 2.1 series
- 2-2-header-redos.patch - Patch for 2.2 series
- 3-0-header-redos.patch - Patch for 3.0 series
Credits
Thanks to svalkanov for reporting this and providing patches!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.9.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.8.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.9.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-26146"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-28T22:57:03Z",
"nvd_published_at": "2024-02-29T00:15:51Z",
"severity": "LOW"
},
"details": "# Possible Denial of Service Vulnerability in Rack Header Parsing\n\nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\nImpact\n------\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. Accept and Forwarded\nheaders are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2\nor newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 2-0-header-redos.patch - Patch for 2.0 series\n* 2-1-header-redos.patch - Patch for 2.1 series\n* 2-2-header-redos.patch - Patch for 2.2 series\n* 3-0-header-redos.patch - Patch for 3.0 series\n\nCredits\n-------\n\nThanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and\nproviding patches!",
"id": "GHSA-54rr-7fvw-6x8f",
"modified": "2024-02-29T02:30:57Z",
"published": "2024-02-28T22:57:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Rack Header Parsing leads to Possible Denial of Service Vulnerability"
}
GHSA-55XV-F85C-248Q
Vulnerability from github – Published: 2021-12-17 19:59 – Updated: 2022-01-04 19:52jsx-slack v4.5.1 and earlier versions are vulnerable to a regular expression denial-of-service (ReDoS) attack.
Impact
If attacker can put a lot of JSX elements into <blockquote> tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources.
/** @jsxImportSource jsx-slack */
import { Section } from 'jsx-slack'
console.log(
<Section>
<blockquote>
{[...Array(40)].map((_, i) => (
<p>{i + 1}</p>
))}
</blockquote>
</Section>
)
Patches
See also: https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6
jsx-slack v4.5.2 has updated regular expressions to prevent catastrophic backtracking.
jsx-slack v4.5.1 also had patched a workaround. It has no problems to contents with ASCII characters, but still vulnerable to contents with multibyte characters. (https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d)
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-43838
- https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d
Credits
Thanks to @hieki for finding out this vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "jsx-slack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43838"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-17T19:33:23Z",
"nvd_published_at": "2021-12-17T19:15:00Z",
"severity": "LOW"
},
"details": "jsx-slack v4.5.1 and earlier versions are vulnerable to a regular expression denial-of-service (ReDoS) attack. \n\n### Impact\n\nIf attacker can put a lot of JSX elements into `\u003cblockquote\u003e` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources.\n\n```javascript\n/** @jsxImportSource jsx-slack */\nimport { Section } from \u0027jsx-slack\u0027\n\nconsole.log(\n \u003cSection\u003e\n \u003cblockquote\u003e\n {[...Array(40)].map((_, i) =\u003e (\n \u003cp\u003e{i + 1}\u003c/p\u003e\n ))}\n \u003c/blockquote\u003e\n \u003c/Section\u003e\n)\n```\n\n### Patches\n\n_See also: https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6_\n\njsx-slack v4.5.2 has updated regular expressions to prevent catastrophic backtracking.\n\njsx-slack v4.5.1 also had patched a workaround. It has no problems to contents with ASCII characters, but _still vulnerable to contents with multibyte characters_. (https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d)\n\n### References\n\n- https://nvd.nist.gov/vuln/detail/CVE-2021-43838\n- https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d\n\n### Credits\n\nThanks to @hieki for finding out this vulnerability.",
"id": "GHSA-55xv-f85c-248q",
"modified": "2022-01-04T19:52:06Z",
"published": "2021-12-17T19:59:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43838"
},
{
"type": "WEB",
"url": "https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d"
},
{
"type": "WEB",
"url": "https://github.com/yhatt/jsx-slack"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service (ReDoS) in jsx-slack"
}
GHSA-5662-2RJ7-F2V6
Vulnerability from github – Published: 2025-08-04 15:22 – Updated: 2025-08-04 15:22Summary
The filter parameter for the "Recent uploads" page allows arbitrary Regexes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server.
PoC
https://127.0.0.1:3923/?ru&filter=(.+)+x
Impact
The server becomes fully inaccessible for a long time.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.18.8"
},
"package": {
"ecosystem": "PyPI",
"name": "copyparty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.18.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54796"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-04T15:22:23Z",
"nvd_published_at": "2025-08-02T00:15:26Z",
"severity": "HIGH"
},
"details": "### Summary\nThe `filter` parameter for the \"Recent uploads\" page allows arbitrary Regexes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server.\n\n### PoC\n`https://127.0.0.1:3923/?ru\u0026filter=(.+)+x`\n\n### Impact\nThe server becomes fully inaccessible for a long time.",
"id": "GHSA-5662-2rj7-f2v6",
"modified": "2025-08-04T15:22:23Z",
"published": "2025-08-04T15:22:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54796"
},
{
"type": "WEB",
"url": "https://github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83"
},
{
"type": "PACKAGE",
"url": "https://github.com/9001/copyparty"
},
{
"type": "WEB",
"url": "https://github.com/9001/copyparty/releases/tag/v1.18.9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "copyparty allows Regex Denial of Service (ReDoS) in the upload listing"
}
GHSA-593F-38F6-JP5M
Vulnerability from github – Published: 2025-02-12 19:23 – Updated: 2025-02-12 19:23Summary
Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.
PoC
Coming soon.
Impact
This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha.0"
},
{
"fixed": "3.0.0-alpha.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25200"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-12T19:23:09Z",
"nvd_published_at": "2025-02-12T18:15:28Z",
"severity": "CRITICAL"
},
"details": "### Summary\nKoa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack.\n\n### PoC\n\nComing soon.\n\n### Impact\nThis is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.",
"id": "GHSA-593f-38f6-jp5m",
"modified": "2025-02-12T19:23:09Z",
"published": "2025-02-12T19:23:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"
},
{
"type": "PACKAGE",
"url": "https://github.com/koajs/koa"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/releases/tag/2.15.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Inefficient Regular Expression Complexity in koa"
}
GHSA-5943-48F3-6WX5
Vulnerability from github – Published: 2024-04-26 06:30 – Updated: 2026-02-23 12:31Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
{
"affected": [],
"aliases": [
"CVE-2024-4056"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T06:15:06Z",
"severity": "HIGH"
},
"details": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.",
"id": "GHSA-5943-48f3-6wx5",
"modified": "2026-02-23T12:31:28Z",
"published": "2024-04-26T06:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4056"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2024-4056"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2024-4056"
},
{
"type": "WEB",
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59P9-H35M-WG4G
Vulnerability from github – Published: 2025-09-12 12:30 – Updated: 2025-09-15 13:57A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.53.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6638"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T13:57:49Z",
"nvd_published_at": "2025-09-12T11:15:31Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer\u0027s `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.",
"id": "GHSA-59p9-h35m-wg4g",
"modified": "2025-09-15T13:57:49Z",
"published": "2025-09-12T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6638"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer"
}
GHSA-5G3J-89FR-R2VP
Vulnerability from github – Published: 2026-04-08 00:07 – Updated: 2026-04-08 00:07Summary
skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic.
Version 0.3.1 contains fixes and additional test coverage for these issues.
Affected Versions
<0.3.1
Patched Versions
>=0.3.1
Impact
In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
0.3.1 mitigates this by:
- replacing vulnerable parsing behavior with deterministic logic,
- validating subpaths earlier before allocating git worktree resources,
- adding stricter and broader regression tests around these flows.
Severity
Low to Moderate (project-maintainer assessed)
Mitigation
Upgrade to 0.3.1 or later.
Workarounds
No complete workaround is recommended other than upgrading.
References
- Branch:
fix/security-code-scanning-alerts - Commits:
- fix(security): harden git arg handling and path validation
- fix(security): use while loop in normalizeRepoUrl instead of regex
- Security Policy: SECURITY.md
Credits
Detected through automated code scanning and remediated by project maintainers.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "skilleton"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400",
"CWE-78",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:07:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic. \nVersion `0.3.1` contains fixes and additional test coverage for these issues.\n\n## Affected Versions\n\n`\u003c0.3.1`\n\n## Patched Versions\n\n`\u003e=0.3.1`\n\n## Impact\n\nIn affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths. \n`0.3.1` mitigates this by:\n- replacing vulnerable parsing behavior with deterministic logic,\n- validating subpaths earlier before allocating git worktree resources,\n- adding stricter and broader regression tests around these flows.\n\n## Severity\n\nLow to Moderate (project-maintainer assessed)\n\n## Mitigation\n\nUpgrade to `0.3.1` or later.\n\n## Workarounds\n\nNo complete workaround is recommended other than upgrading.\n\n## References\n\n- Branch: [`fix/security-code-scanning-alerts`](https://github.com/Fcmam5/skilleton/pull/9)\n- Commits:\n - [fix(security): harden git arg handling and path validation](https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172)\n - [fix(security): use while loop in normalizeRepoUrl instead of regex](https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b)\n- Security Policy: [SECURITY.md](https://github.com/Fcmam5/skilleton/blob/master/SECURITY.md)\n\n## Credits\n\nDetected through automated code scanning and remediated by project maintainers.",
"id": "GHSA-5g3j-89fr-r2vp",
"modified": "2026-04-08T00:07:36Z",
"published": "2026-04-08T00:07:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Fcmam5/skilleton/security/advisories/GHSA-5g3j-89fr-r2vp"
},
{
"type": "WEB",
"url": "https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172"
},
{
"type": "WEB",
"url": "https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b"
},
{
"type": "PACKAGE",
"url": "https://github.com/Fcmam5/skilleton"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "skilleton has improper input handling in repository/path processing"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.