Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

725 vulnerabilities reference this CWE, most recent first.

GHSA-65X3-RW7Q-GX94

Vulnerability from github – Published: 2026-05-18 17:40 – Updated: 2026-05-18 17:40
VLAI
Summary
multiparty vulnerable to ReDoS via filename parsing
Details

Impact

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to multiparty@4.3.0 or higher.

Workarounds

None. Limiting upload sizes at the proxy/gateway layer reduces but does not eliminate the attack surface, since a small ~8 KB header is sufficient to trigger the vulnerable backtracking.

Resources

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.3"
      },
      "package": {
        "ecosystem": "npm",
        "name": "multiparty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-8159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T17:40:10Z",
    "nvd_published_at": "2026-05-12T10:16:48Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nmultiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the `Content-Disposition` filename parameter parser. A multipart upload with a long header value containing `!filename=\"1` repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.\n\n### Patches\n\nUsers should upgrade to multiparty@4.3.0 or higher.\n\n### Workarounds\n\nNone. Limiting upload sizes at the proxy/gateway layer reduces but does not eliminate the attack surface, since a small ~8 KB header is sufficient to trigger the vulnerable backtracking.\n\n### Resources\n\n- [OWASP: Regular expression Denial of Service (ReDoS)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)",
  "id": "GHSA-65x3-rw7q-gx94",
  "modified": "2026-05-18T17:40:10Z",
  "published": "2026-05-18T17:40:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8159"
    },
    {
      "type": "WEB",
      "url": "https://cna.openjsf.org/security-advisories.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pillarjs/multiparty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pillarjs/multiparty/releases/tag/v4.3.0"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "multiparty vulnerable to ReDoS via filename parsing"
}

GHSA-68QG-G787-3RP5

Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-28 14:50
VLAI
Summary
Knwl.js Regular Expression Denial of Service vulnerability
Details

Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "knwl.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-28T14:50:17Z",
    "nvd_published_at": "2024-10-26T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
  "id": "GHSA-68qg-g787-3rp5",
  "modified": "2024-10-28T14:50:17Z",
  "published": "2024-10-26T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benhmoore/Knwl/issues/106"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benhmoore/Knwl/commit/88aa966b1415a167c7c91b70053b72c7762c1cc0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benhmoore/Knwl"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-296-redos-Knwl.js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Knwl.js Regular Expression Denial of Service vulnerability"
}

GHSA-6FX8-H7JM-663J

Vulnerability from github – Published: 2025-01-16 00:31 – Updated: 2025-09-03 12:56
VLAI
Summary
parse-uri Regular expression Denial of Service (ReDoS)
Details

An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC

async function exploit() {
    const parseuri = require("parse-uri");
    // This input is designed to cause excessive backtracking in the regex
    const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
    const result = await parseuri(craftedInput);
    }
await exploit();
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "parseuri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-185"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-17T15:39:05Z",
    "nvd_published_at": "2025-01-15T22:15:26Z",
    "severity": "MODERATE"
  },
  "details": "An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.\n ## PoC\n```js\nasync function exploit() {\n    const parseuri = require(\"parse-uri\");\n    // This input is designed to cause excessive backtracking in the regex\n    const craftedInput = \u0027http://example.com/\u0027 + \u0027a\u0027.repeat(30000) + \u0027?key=value\u0027;\n    const result = await parseuri(craftedInput);\n    }\nawait exploit();\n```",
  "id": "GHSA-6fx8-h7jm-663j",
  "modified": "2025-09-03T12:56:48Z",
  "published": "2025-01-16T00:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36751"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kikobeats/parse-uri/issues/14"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/78168687da94e8aa2e0357f2456b0233"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "parse-uri Regular expression Denial of Service (ReDoS)"
}

GHSA-6FXP-P9MG-Q64W

Vulnerability from github – Published: 2025-08-20 03:30 – Updated: 2025-08-29 20:14
VLAI
Summary
Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module
Details

Withdrawn Advisory

This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following:

These CVEs are invalid. Knack is a CLI framework used by Azure CLI. It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.

This link is maintained to preserve external references.

Original Description

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 1 of 2).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "knack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T15:00:54Z",
    "nvd_published_at": "2025-08-20T03:15:35Z",
    "severity": "LOW"
  },
  "details": "### Withdrawn Advisory\nThis advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack\u0027s intended functionality. The maintainer states the following:\n\n\u003e These CVEs are invalid. Knack is a CLI framework used by [Azure CLI](https://github.com/Azure/azure-cli). It\u0027s a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.\n\nThis link is maintained to preserve external references.\n\n### Original Description\nMicrosoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 1 of 2).",
  "id": "GHSA-6fxp-p9mg-q64w",
  "modified": "2025-08-29T20:14:31Z",
  "published": "2025-08-20T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/knack/issues/281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/knack/issues/281#issuecomment-3218922941"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/knack"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module",
  "withdrawn": "2025-08-29T20:14:31Z"
}

GHSA-6G33-8W2Q-4HXV

Vulnerability from github – Published: 2023-01-05 12:30 – Updated: 2023-01-11 23:01
VLAI
Summary
robots-txt-guard Inefficient Regular Expression Complexity vulnerability
Details

A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "robots-txt-guard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-09T20:04:05Z",
    "nvd_published_at": "2023-01-05T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of the file lib/patterns.js. The manipulation of the argument pattern leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The name of the patch is c03827cd2f9933619c23894ce7c98401ea824020. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217448.",
  "id": "GHSA-6g33-8w2q-4hxv",
  "modified": "2023-01-11T23:01:14Z",
  "published": "2023-01-05T12:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Woorank/robots-txt-guard/pull/4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Woorank/robots-txt-guard/commit/c03827cd2f9933619c23894ce7c98401ea824020"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Woorank/robots-txt-guard"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217448"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217448"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "robots-txt-guard Inefficient Regular Expression Complexity vulnerability"
}

GHSA-6HCH-MPJP-2743

Vulnerability from github – Published: 2024-01-26 03:30 – Updated: 2024-01-26 03:30
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a Cargo.toml containing maliciously crafted input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-26T02:15:07Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.",
  "id": "GHSA-6hch-mpjp-2743",
  "modified": "2024-01-26T03:30:19Z",
  "published": "2024-01-26T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6159"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2251278"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/431924"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6JPG-FR24-WPVF

Vulnerability from github – Published: 2026-03-26 21:31 – Updated: 2026-05-19 15:31
VLAI
Details

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the match_pattern() function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0967"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-26T21:17:00Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.",
  "id": "GHSA-6jpg-fr24-wpvf",
  "modified": "2026-05-19T15:31:20Z",
  "published": "2026-03-26T21:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0967"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18160"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:18683"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-0967"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436981"
    },
    {
      "type": "WEB",
      "url": "https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6P52-PVR6-5X2C

Vulnerability from github – Published: 2026-01-07 18:30 – Updated: 2026-01-07 21:31
VLAI
Details

Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-07T18:15:52Z",
    "severity": "MODERATE"
  },
  "details": "Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.",
  "id": "GHSA-6p52-pvr6-5x2c",
  "modified": "2026-01-07T21:31:55Z",
  "published": "2026-01-07T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0668"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/I4ff2737c9f0ba805267d1fc8296e7cff61241ee3"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/I893a9fca694a2613e29e149dea2d76d7f06063e5"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/Ie08d9a8ceb2c9a22a635cfc27964353f14072dbf"
    },
    {
      "type": "WEB",
      "url": "https://gerrit.wikimedia.org/r/q/Ifbf9c2ade621226e14fe852f3217293772bf8bb8"
    },
    {
      "type": "WEB",
      "url": "https://phabricator.wikimedia.org/T387008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RVG-6V2M-4J46

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-21 17:43
VLAI
Summary
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.48.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-12720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T17:43:02Z",
    "nvd_published_at": "2025-03-20T10:15:29Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.",
  "id": "GHSA-6rvg-6v2m-4j46",
  "modified": "2025-03-21T17:43:02Z",
  "published": "2025-03-20T12:32:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/deac971c469bcbb182c2e52da0b82fb3bf54cccf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4bed1214-7835-4252-a853-22bbad891f98"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Transformers Regular Expression Denial of Service (ReDoS) vulnerability"
}

GHSA-6VFC-QV3F-VR6C

Vulnerability from github – Published: 2022-01-12 22:20 – Updated: 2022-01-19 18:25
VLAI
Summary
Uncontrolled Resource Consumption in markdown-it
Details

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "markdown-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-10T21:50:05Z",
    "nvd_published_at": "2022-01-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nSpecial patterns with length \u003e 50K chars can slow down parser significantly.\n\n```js\nconst md = require(\u0027markdown-it\u0027)();\n\nmd.render(`x ${\u0027 \u0027.repeat(150000)} x  \\nx`);\n```\n\n\n### Patches\n\nUpgrade to v12.3.2+\n\n### Workarounds\n\nNo.\n\n### References\n\nFix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101\n",
  "id": "GHSA-6vfc-qv3f-vr6c",
  "modified": "2022-01-19T18:25:52Z",
  "published": "2022-01-12T22:20:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markdown-it/markdown-it"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in markdown-it"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.