Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

726 vulnerabilities reference this CWE, most recent first.

GHSA-6VFC-QV3F-VR6C

Vulnerability from github – Published: 2022-01-12 22:20 – Updated: 2022-01-19 18:25
VLAI
Summary
Uncontrolled Resource Consumption in markdown-it
Details

Impact

Special patterns with length > 50K chars can slow down parser significantly.

const md = require('markdown-it')();

md.render(`x ${' '.repeat(150000)} x  \nx`);

Patches

Upgrade to v12.3.2+

Workarounds

No.

References

Fix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "markdown-it"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-10T21:50:05Z",
    "nvd_published_at": "2022-01-10T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nSpecial patterns with length \u003e 50K chars can slow down parser significantly.\n\n```js\nconst md = require(\u0027markdown-it\u0027)();\n\nmd.render(`x ${\u0027 \u0027.repeat(150000)} x  \\nx`);\n```\n\n\n### Patches\n\nUpgrade to v12.3.2+\n\n### Workarounds\n\nNo.\n\n### References\n\nFix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101\n",
  "id": "GHSA-6vfc-qv3f-vr6c",
  "modified": "2022-01-19T18:25:52Z",
  "published": "2022-01-12T22:20:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21670"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markdown-it/markdown-it"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Uncontrolled Resource Consumption in markdown-it"
}

GHSA-6W53-65XX-MGJ9

Vulnerability from github – Published: 2025-06-20 21:32 – Updated: 2025-06-20 21:32
VLAI
Details

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-20T19:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.",
  "id": "GHSA-6w53-65xx-mgj9",
  "modified": "2025-06-20T21:32:07Z",
  "published": "2025-06-20T21:32:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4025"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2024974"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/457474"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W57-8P2P-2R2X

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-10-15 15:30
VLAI
Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py module. This function takes a user-provided keyword and attempts to match it against chat history filenames using a regular expression search. Due to the lack of sanitization or validation of the keyword parameter, an attacker can inject a specially crafted regular expression, leading to a denial of service condition. This can cause severe degradation of service performance and potential system unavailability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-6038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-625"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-27T19:15:19Z",
    "severity": "HIGH"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability is located in the filter_history function within the utils.py module. This function takes a user-provided keyword and attempts to match it against chat history filenames using a regular expression search. Due to the lack of sanitization or validation of the keyword parameter, an attacker can inject a specially crafted regular expression, leading to a denial of service condition. This can cause severe degradation of service performance and potential system unavailability.",
  "id": "GHSA-6w57-8p2p-2r2x",
  "modified": "2025-10-15T15:30:19Z",
  "published": "2024-06-27T21:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gaizhenbiao/chuanhuchatgpt/commit/fcdd5fd6b05ef537a1db185ab115758d87e1ba3f"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/d41cca0a-82bc-4cbf-a52a-928d304fb42d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6W63-H3FJ-Q4VW

Vulnerability from github – Published: 2023-06-06 17:33 – Updated: 2026-03-09 15:58
VLAI
Summary
fast-xml-parser vulnerable to Regex Injection via Doctype Entities
Details

Impact

"fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.

Patches

The problem has been resolved in v4.2.4

Workarounds

Avoid using DOCTYPE parsing by processEntities: false option.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.3"
            },
            {
              "fixed": "4.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34104"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-06T17:33:13Z",
    "nvd_published_at": "2023-06-06T18:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\"fast-xml-parser\" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.\n\n### Patches\nThe problem has been resolved in v4.2.4\n\n### Workarounds\nAvoid using DOCTYPE parsing by `processEntities: false` option.",
  "id": "GHSA-6w63-h3fj-q4vw",
  "modified": "2026-03-09T15:58:38Z",
  "published": "2023-06-06T17:33:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34104"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/a4bdced80369892ee413bf08e28b78795a2b0d5b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser vulnerable to Regex Injection via Doctype Entities"
}

GHSA-72QW-P7HH-M3FF

Vulnerability from github – Published: 2023-10-19 12:33 – Updated: 2023-10-19 12:33
VLAI
Summary
TorBot vulnerable to Inefficient Regular Expression Complexity in validate_link
Details

Summary

The torbot.modules.validators.validate_link function uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause an application crash using a well-crafted argument..

Details

https://github.com/DedSecInside/TorBot/blob/d2b89192379ad033ffc7044efff26e16ccc02d5a/torbot/modules/validators.py#L13

An attacker can use a well-crafted URL argument to exploit the vulnerability in the regular expression and cause a Denial of Service on the system.

PoC

I have uploaded a secret gist containing a PoC (https://gist.github.com/ikkebr/6041055314f1cfb8e65b2a1acbaae12c). By adding one special character at the end of the user argument of the URL, the regular expression will take exponentially longer to compute.

For a string of size 10k, the regex will take 0.01s without the well-crafted URL and 1.3s with the well-crafted URL exploit. For a string of size 50k, the regex will take 0.03s without the well-crafted URL and 35s with the well-crafted URL exploit. For a string of size 100k, the regex will take 0.05s without the well-crafted URL and over 200s with the well-crafted URL exploit.

The regular expression used in the validators library versions [0.20, 0.11] is vulnerable to this attack. Version 0.21 appears to be unaffected, but it no longer contains a single regular expression.

Impact

An attacker could exploit this vulnerability to cause a denial of service or increased resource usage.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "torbot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-19T12:33:03Z",
    "nvd_published_at": "2023-10-18T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n_The torbot.modules.validators.validate_link function uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause an application crash using a well-crafted argument.._\n\n### Details\nhttps://github.com/DedSecInside/TorBot/blob/d2b89192379ad033ffc7044efff26e16ccc02d5a/torbot/modules/validators.py#L13\n\nAn attacker can use a well-crafted URL argument to exploit the vulnerability in the regular expression and cause a Denial of Service on the system.\n\n### PoC\nI have uploaded a secret gist containing a PoC (https://gist.github.com/ikkebr/6041055314f1cfb8e65b2a1acbaae12c). By adding one special character at the end of the user argument of the URL, the regular expression will take exponentially longer to compute.\n\nFor a string of size 10k, the regex will take 0.01s without the well-crafted URL and 1.3s with the well-crafted URL exploit.\nFor a string of size 50k, the regex will take 0.03s without the well-crafted URL and 35s with the well-crafted URL exploit.\nFor a string of size 100k, the regex will take 0.05s without the well-crafted URL and over 200s with the well-crafted URL exploit.\n\nThe regular expression used in the validators library versions [0.20, 0.11] is vulnerable to this attack. Version 0.21 appears to be unaffected, but it no longer contains a single regular expression.\n\n### Impact\nAn attacker could exploit this vulnerability to cause a denial of service or increased resource usage.\n",
  "id": "GHSA-72qw-p7hh-m3ff",
  "modified": "2023-10-19T12:33:03Z",
  "published": "2023-10-19T12:33:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DedSecInside/TorBot/commit/ef6e06bc7785355b1701d5524eb4550441086ac4"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ikkebr/6041055314f1cfb8e65b2a1acbaae12c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DedSecInside/TorBot"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DedSecInside/TorBot/blob/d2b89192379ad033ffc7044efff26e16ccc02d5a/torbot/modules/validators.py#L13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "TorBot vulnerable to Inefficient Regular Expression Complexity in validate_link"
}

GHSA-73RR-HH4G-FPGX

Vulnerability from github – Published: 2026-01-14 21:34 – Updated: 2026-01-30 17:13
VLAI
Summary
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
Details

Impact

Attempting to parse a patch whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.

Applications are therefore likely to be vulnerable to a denial-of-service attack if they call parsePatch with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling parsePatch on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed).

The applyPatch method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using parsePatch. Other methods of the library are unaffected.

Finally, a second and lesser bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take parsePatch O(n³) time to parse.

Patches

All vulnerabilities described are fixed in v8.0.3.

Workarounds

If using a version of jsdiff earlier than v8.0.3, do not attempt to parse patches that contain any of these characters: \r, \u2028, or \u2029.

References

PR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649

CVE Notes

Note that although the advisory describes two bugs, they each enable exactly the same attack vector (that an attacker who controls input to parsePatch can cause a DOS). Fixing one bug without fixing the other therefore does not fix the vulnerability and does not provide any security benefit. Therefore we assume that the bugs cannot possibly constitute Independently Fixable Vulnerabilities in the sense of CVE CNA rule 4.2.11, but rather that this advisory is properly construed under the rules as describing a single Vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "diff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "8.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "diff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "diff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "diff"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24001"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-14T21:34:12Z",
    "nvd_published_at": "2026-01-22T03:15:47Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nAttempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.\n\nApplications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed).\n\nThe `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected.\n\nFinally, a second and lesser bug - a ReDOS - also exhibits when those same line break characters are present in a patch\u0027s *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*\u00b3) time to parse.\n\n### Patches\n\nAll vulnerabilities described are fixed in v8.0.3.\n\n### Workarounds\n\nIf using a version of jsdiff earlier than v8.0.3, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`.\n\n### References\n\nPR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649\n\n\n### CVE Notes\n\nNote that although the advisory describes two bugs, they each enable exactly the same attack vector (that an attacker who controls input to `parsePatch` can cause a DOS). Fixing one bug without fixing the other therefore does not fix the vulnerability and does not provide any security benefit. Therefore we assume that the bugs cannot possibly constitute Independently Fixable Vulnerabilities in the sense of CVE CNA rule 4.2.11, but rather that this advisory is properly construed under the rules as describing a single Vulnerability.",
  "id": "GHSA-73rr-hh4g-fpgx",
  "modified": "2026-01-30T17:13:35Z",
  "published": "2026-01-14T21:34:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24001"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kpdecker/jsdiff/issues/653"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kpdecker/jsdiff/pull/649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kpdecker/jsdiff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch"
}

GHSA-73W2-5F6G-JX42

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.",
  "id": "GHSA-73w2-5f6g-jx42",
  "modified": "2024-04-04T06:06:32Z",
  "published": "2023-07-13T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3424"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1960970"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409802"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7599-FQGM-V84P

Vulnerability from github – Published: 2022-12-31 21:30 – Updated: 2023-01-10 16:10
VLAI
Summary
rgb2hex vulnerable to inefficient regular expression complexity
Details

A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rgb2hex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-04T14:26:40Z",
    "nvd_published_at": "2022-12-31T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.",
  "id": "GHSA-7599-fqgm-v84p",
  "modified": "2023-01-10T16:10:03Z",
  "published": "2022-12-31T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25061"
    },
    {
      "type": "WEB",
      "url": "https://github.com/christian-bromann/rgb2hex/commit/9e0c38594432edfa64136fdf7bb651835e17c34f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/christian-bromann/rgb2hex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/christian-bromann/rgb2hex/releases/tag/v0.1.6"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217151"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rgb2hex vulnerable to inefficient regular expression complexity"
}

GHSA-762F-C2WG-M8C8

Vulnerability from github – Published: 2018-10-09 00:27 – Updated: 2023-04-11 00:32
VLAI
Summary
Denial of Service in protobufjs
Details

Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.

Recommendation

Update to version 5.0.3, 6.8.6 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-3738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:21:32Z",
    "nvd_published_at": "2018-06-07T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of `protobufjs` before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.\n\n\n## Recommendation\n\nUpdate to version 5.0.3, 6.8.6 or later.",
  "id": "GHSA-762f-c2wg-m8c8",
  "modified": "2023-04-11T00:32:09Z",
  "published": "2018-10-09T00:27:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3738"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/319576"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-762f-c2wg-m8c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/605"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in protobufjs"
}

GHSA-785G-R934-C877

Vulnerability from github – Published: 2025-05-02 21:30 – Updated: 2025-06-12 03:30
VLAI
Details

A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T21:15:23Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.",
  "id": "GHSA-785g-r934-c877",
  "modified": "2025-06-12T03:30:25Z",
  "published": "2025-05-02T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.307194"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.307194"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.562301"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.