CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-65X3-RW7Q-GX94
Vulnerability from github – Published: 2026-05-18 17:40 – Updated: 2026-05-18 17:40Impact
multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.
Patches
Users should upgrade to multiparty@4.3.0 or higher.
Workarounds
None. Limiting upload sizes at the proxy/gateway layer reduces but does not eliminate the attack surface, since a small ~8 KB header is sufficient to trigger the vulnerable backtracking.
Resources
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.2.3"
},
"package": {
"ecosystem": "npm",
"name": "multiparty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8159"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:40:10Z",
"nvd_published_at": "2026-05-12T10:16:48Z",
"severity": "HIGH"
},
"details": "### Impact\n\nmultiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the `Content-Disposition` filename parameter parser. A multipart upload with a long header value containing `!filename=\"1` repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.\n\n### Patches\n\nUsers should upgrade to multiparty@4.3.0 or higher.\n\n### Workarounds\n\nNone. Limiting upload sizes at the proxy/gateway layer reduces but does not eliminate the attack surface, since a small ~8 KB header is sufficient to trigger the vulnerable backtracking.\n\n### Resources\n\n- [OWASP: Regular expression Denial of Service (ReDoS)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)",
"id": "GHSA-65x3-rw7q-gx94",
"modified": "2026-05-18T17:40:10Z",
"published": "2026-05-18T17:40:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8159"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/pillarjs/multiparty"
},
{
"type": "WEB",
"url": "https://github.com/pillarjs/multiparty/releases/tag/v4.3.0"
},
{
"type": "WEB",
"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "multiparty vulnerable to ReDoS via filename parsing"
}
GHSA-68QG-G787-3RP5
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-28 14:50Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "knwl.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26306"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-28T14:50:17Z",
"nvd_published_at": "2024-10-26T21:15:13Z",
"severity": "MODERATE"
},
"details": "Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
"id": "GHSA-68qg-g787-3rp5",
"modified": "2024-10-28T14:50:17Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26306"
},
{
"type": "WEB",
"url": "https://github.com/benhmoore/Knwl/issues/106"
},
{
"type": "WEB",
"url": "https://github.com/benhmoore/Knwl/commit/88aa966b1415a167c7c91b70053b72c7762c1cc0"
},
{
"type": "PACKAGE",
"url": "https://github.com/benhmoore/Knwl"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-296-redos-Knwl.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
"type": "CVSS_V4"
}
],
"summary": "Knwl.js Regular Expression Denial of Service vulnerability"
}
GHSA-6FX8-H7JM-663J
Vulnerability from github – Published: 2025-01-16 00:31 – Updated: 2025-09-03 12:56An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC
async function exploit() {
const parseuri = require("parse-uri");
// This input is designed to cause excessive backtracking in the regex
const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
const result = await parseuri(craftedInput);
}
await exploit();
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.0.0"
},
"package": {
"ecosystem": "npm",
"name": "parseuri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36751"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-17T15:39:05Z",
"nvd_published_at": "2025-01-15T22:15:26Z",
"severity": "MODERATE"
},
"details": "An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.\n ## PoC\n```js\nasync function exploit() {\n const parseuri = require(\"parse-uri\");\n // This input is designed to cause excessive backtracking in the regex\n const craftedInput = \u0027http://example.com/\u0027 + \u0027a\u0027.repeat(30000) + \u0027?key=value\u0027;\n const result = await parseuri(craftedInput);\n }\nawait exploit();\n```",
"id": "GHSA-6fx8-h7jm-663j",
"modified": "2025-09-03T12:56:48Z",
"published": "2025-01-16T00:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36751"
},
{
"type": "WEB",
"url": "https://github.com/Kikobeats/parse-uri/issues/14"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/78168687da94e8aa2e0357f2456b0233"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "parse-uri Regular expression Denial of Service (ReDoS)"
}
GHSA-6FXP-P9MG-Q64W
Vulnerability from github – Published: 2025-08-20 03:30 – Updated: 2025-08-29 20:14Withdrawn Advisory
This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following:
These CVEs are invalid. Knack is a CLI framework used by Azure CLI. It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.
This link is maintained to preserve external references.
Original Description
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 1 of 2).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "knack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54363"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-21T15:00:54Z",
"nvd_published_at": "2025-08-20T03:15:35Z",
"severity": "LOW"
},
"details": "### Withdrawn Advisory\nThis advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack\u0027s intended functionality. The maintainer states the following:\n\n\u003e These CVEs are invalid. Knack is a CLI framework used by [Azure CLI](https://github.com/Azure/azure-cli). It\u0027s a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.\n\nThis link is maintained to preserve external references.\n\n### Original Description\nMicrosoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 1 of 2).",
"id": "GHSA-6fxp-p9mg-q64w",
"modified": "2025-08-29T20:14:31Z",
"published": "2025-08-20T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54363"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/knack/issues/281"
},
{
"type": "WEB",
"url": "https://github.com/microsoft/knack/issues/281#issuecomment-3218922941"
},
{
"type": "PACKAGE",
"url": "https://github.com/microsoft/knack"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module",
"withdrawn": "2025-08-29T20:14:31Z"
}
GHSA-6G33-8W2Q-4HXV
Vulnerability from github – Published: 2023-01-05 12:30 – Updated: 2023-01-11 23:01A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "robots-txt-guard"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4305"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T20:04:05Z",
"nvd_published_at": "2023-01-05T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448.",
"id": "GHSA-6g33-8w2q-4hxv",
"modified": "2023-01-11T23:01:14Z",
"published": "2023-01-05T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4305"
},
{
"type": "WEB",
"url": "https://github.com/Woorank/robots-txt-guard/pull/4"
},
{
"type": "WEB",
"url": "https://github.com/Woorank/robots-txt-guard/commit/c03827cd2f9933619c23894ce7c98401ea824020"
},
{
"type": "PACKAGE",
"url": "https://github.com/Woorank/robots-txt-guard"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217448"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217448"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "robots-txt-guard Inefficient Regular Expression Complexity vulnerability"
}
GHSA-6HCH-MPJP-2743
Vulnerability from github – Published: 2024-01-26 03:30 – Updated: 2024-01-26 03:30An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a Cargo.toml containing maliciously crafted input.
{
"affected": [],
"aliases": [
"CVE-2023-6159"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-26T02:15:07Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.",
"id": "GHSA-6hch-mpjp-2743",
"modified": "2024-01-26T03:30:19Z",
"published": "2024-01-26T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6159"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2251278"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/431924"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6JPG-FR24-WPVF
Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-05-19 15:31A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the match_pattern() function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.
{
"affected": [],
"aliases": [
"CVE-2026-0967"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T21:17:00Z",
"severity": "LOW"
},
"details": "A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.",
"id": "GHSA-6jpg-fr24-wpvf",
"modified": "2026-05-19T15:31:20Z",
"published": "2026-03-26T21:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0967"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18160"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18683"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-0967"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436981"
},
{
"type": "WEB",
"url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6P52-PVR6-5X2C
Vulnerability from github – Published: 2026-01-07 18:30 – Updated: 2026-01-07 21:31Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.
{
"affected": [],
"aliases": [
"CVE-2026-0668"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T18:15:52Z",
"severity": "MODERATE"
},
"details": "Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.",
"id": "GHSA-6p52-pvr6-5x2c",
"modified": "2026-01-07T21:31:55Z",
"published": "2026-01-07T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0668"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf"
},
{
"type": "WEB",
"url": "https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8"
},
{
"type": "WEB",
"url": "https://phabricator.wikimedia.org/T387008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6RVG-6V2M-4J46
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:43A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.48.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-12720"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-21T17:43:02Z",
"nvd_published_at": "2025-03-20T10:15:29Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.",
"id": "GHSA-6rvg-6v2m-4j46",
"modified": "2025-03-21T17:43:02Z",
"published": "2025-03-20T12:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12720"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Transformers Regular Expression Denial of Service (ReDoS) vulnerability"
}
GHSA-6VFC-QV3F-VR6C
Vulnerability from github – Published: 2022-01-12 22:20 – Updated: 2022-01-19 18:25Impact
Special patterns with length > 50K chars can slow down parser significantly.
const md = require('markdown-it')();
md.render(`x ${' '.repeat(150000)} x \nx`);
Patches
Upgrade to v12.3.2+
Workarounds
No.
References
Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "markdown-it"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "12.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21670"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-10T21:50:05Z",
"nvd_published_at": "2022-01-10T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nSpecial patterns with length \u003e 50K chars can slow down parser significantly.\n\n```js\nconst md = require(\u0027markdown-it\u0027)();\n\nmd.render(`x ${\u0027 \u0027.repeat(150000)} x \\nx`);\n```\n\n\n### Patches\n\nUpgrade to v12.3.2+\n\n### Workarounds\n\nNo.\n\n### References\n\nFix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101\n",
"id": "GHSA-6vfc-qv3f-vr6c",
"modified": "2022-01-19T18:25:52Z",
"published": "2022-01-12T22:20:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21670"
},
{
"type": "WEB",
"url": "https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101"
},
{
"type": "PACKAGE",
"url": "https://github.com/markdown-it/markdown-it"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Uncontrolled Resource Consumption in markdown-it"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.