CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-8GH5-V944-CPHH
Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2024-04-04 07:21An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
{
"affected": [],
"aliases": [
"CVE-2023-3205"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-01T11:15:41Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.",
"id": "GHSA-8gh5-v944-cphh",
"modified": "2024-04-04T07:21:16Z",
"published": "2023-09-01T12:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3205"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2011464"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415067"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8H55-Q5QQ-P685
Vulnerability from github – Published: 2024-07-23 14:10 – Updated: 2024-07-23 15:51Summary
Versions of tf2-item-format since at least 4.2.6 are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input.
Tested Versions
5.9.135.8.105.7.05.6.174.3.54.2.6
v5
Upgrade package to ^5.9.14
v4
No patch exists. Please consult the v4 to v5 migration guide to upgrade to v5.
If upgrading to v5 is not possible, fork the module repository and implement the fix detailed below.
Impact
This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any tf2-item-format to parse user input.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.9.13"
},
"package": {
"ecosystem": "npm",
"name": "tf2-item-format"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.6"
},
{
"fixed": "5.9.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-41655"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-624"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-23T14:10:45Z",
"nvd_published_at": "2024-07-23T15:15:05Z",
"severity": "HIGH"
},
"details": "## Summary\n\nVersions of `tf2-item-format` since at least `4.2.6` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. \n\n## Tested Versions\n\n- `5.9.13`\n- `5.8.10`\n- `5.7.0`\n- `5.6.17`\n- `4.3.5`\n- `4.2.6`\n\n### v5\nUpgrade package to `^5.9.14`\n\n### v4\nNo patch exists. Please consult the [v4 to v5 migration guide](https://github.com/danocmx/node-tf2-item-format?tab=readme-ov-file#migrating-from-v4-to-v5) to upgrade to v5.\n\nIf upgrading to v5 is not possible, fork the module repository and implement the fix detailed below.\n\n## Impact\n\nThis vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input.",
"id": "GHSA-8h55-q5qq-p685",
"modified": "2024-07-23T15:51:54Z",
"published": "2024-07-23T14:10:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41655"
},
{
"type": "WEB",
"url": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec"
},
{
"type": "PACKAGE",
"url": "https://github.com/danocmx/node-tf2-item-format"
},
{
"type": "WEB",
"url": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "(ReDoS) Regular Expression Denial of Service in tf2-item-format"
}
GHSA-8H58-9HJG-3XQH
Vulnerability from github – Published: 2025-04-10 09:30 – Updated: 2025-05-15 21:31The WP-GeSHi-Highlight — rock-solid syntax highlighting for 259 languages WordPress plugin through 1.4.3 processes user-supplied input as a regular expression via the wp_geshi_filter_replace_code() function, which could lead to Regular Expression Denial of Service (ReDoS) issue
{
"affected": [],
"aliases": [
"CVE-2024-13896"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T07:15:41Z",
"severity": "MODERATE"
},
"details": "The WP-GeSHi-Highlight \u2014 rock-solid syntax highlighting for 259 languages WordPress plugin through 1.4.3 processes user-supplied input as a regular expression via the wp_geshi_filter_replace_code() function, which could lead to Regular Expression Denial of Service (ReDoS) issue",
"id": "GHSA-8h58-9hjg-3xqh",
"modified": "2025-05-15T21:31:25Z",
"published": "2025-04-10T09:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13896"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/b8b622ea-e090-45ad-8755-b050fc055231"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8MP2-V27R-99XP
Vulnerability from github – Published: 2026-05-06 16:52 – Updated: 2026-05-06 19:35Summary
A ReDoS (Regular Expression Denial of Service) vulnerability in LINK_TITLE_RE allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), with exponential growth per additional byte pair.
Details
The vulnerable regex is defined in src/mistune/helpers.py#L20-L25:
LINK_TITLE_RE = re.compile(
r"[ \t\n]+("
r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"|' # "title"
r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'" # 'title'
r")"
)
The double-quote branch compiles to "(?:\\[PUNCTUATION]|[^"\x00])*". The two alternatives inside (A|B)* overlap: a backslash followed by a punctuation character (e.g. \!) can be matched by either branch — as a 2-character escaped-punctuation sequence \\!, or as two individual [^"\x00] characters (\ then !). The same ambiguity exists in the single-quoted title branch.
When the input contains repeated \! pairs with no closing ", the regex engine exhaustively backtracks through all 2^N combinations, resulting in exponential O(2^N) time complexity.
This is reachable through normal Markdown parsing via two code paths:
1. Inline links: [text](url "PAYLOAD) → parse_link() → parse_link_title()
2. Block link reference definitions: [label]: url "PAYLOAD → BlockParser.parse_ref_link() → parse_link_title() at block_parser.py#L259
PoC
import mistune
import time
md = mistune.create_markdown()
# Test with increasing N (number of \! pairs)
for n in [15, 18, 20, 22, 25]:
payload = '[x](y "' + '\\!' * n + ')'
start = time.time()
md(payload)
elapsed = time.time() - start
print(f"N={n:2d} len={len(payload):3d} bytes time={elapsed:.3f}s")
Output (Apple M2, Python 3.14.3, mistune 3.2.0):
N=15 len= 38 bytes time=0.007s
N=18 len= 44 bytes time=0.044s
N=20 len= 48 bytes time=0.178s
N=22 len= 52 bytes time=0.740s
N=25 len= 58 bytes time=5.922s
Each increment of N roughly doubles the execution time (consistent with O(2^N)).
The same attack works via block link reference definitions:
payload = '[l]: u "' + '\\!' * 25 # 58 bytes, ~6 seconds
md(payload)
Impact
This is a denial of service vulnerability. Any application or service that parses user-supplied Markdown using mistune can be made unresponsive by an attacker submitting a small crafted input (under 100 bytes).
Affected use cases include: - Web applications with Markdown-enabled input fields (comments, posts, descriptions) - Documentation systems that accept user contributions - API endpoints that process Markdown - Jupyter tooling such as nbconvert that relies on mistune for rendering
Suggested Fix
Exclude the backslash character from the catch-all character class to eliminate the alternation overlap:
# Before (vulnerable):
r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"'
r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'"
# After (fixed):
r'"(?:\\' + PUNCTUATION + r'|[^"\\\x00])*"'
r"'(?:\\" + PUNCTUATION + r"|[^'\\\x00])*'"
This ensures a backslash can only be consumed by the escaped-punctuation branch, eliminating the ambiguity in both the double-quote and single-quote branches. Verified on mistune 3.2.0 (Apple M2, Python 3.14.3): - Reduces N=25 from 4.2 seconds to 0.000006 seconds (700,000x improvement) - Handles N=50 in 0.000008 seconds - Passes all existing functional tests (quoted titles, escaped quotes, escaped punctuation)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.0"
},
"package": {
"ecosystem": "PyPI",
"name": "mistune"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a1"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33079"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T16:52:43Z",
"nvd_published_at": "2026-05-06T18:16:03Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), with exponential growth per additional byte pair.\n\n### Details\n\nThe vulnerable regex is defined in [`src/mistune/helpers.py#L20-L25`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25):\n\n```python\nLINK_TITLE_RE = re.compile(\n r\"[ \\t\\n]+(\"\n r\u0027\"(?:\\\\\u0027 + PUNCTUATION + r\u0027|[^\"\\x00])*\"|\u0027 # \"title\"\n r\"\u0027(?:\\\\\" + PUNCTUATION + r\"|[^\u0027\\x00])*\u0027\" # \u0027title\u0027\n r\")\"\n)\n```\n\nThe double-quote branch compiles to `\"(?:\\\\[PUNCTUATION]|[^\"\\x00])*\"`. The two alternatives inside `(A|B)*` overlap: a backslash followed by a punctuation character (e.g. `\\!`) can be matched by **either** branch \u2014 as a 2-character escaped-punctuation sequence `\\\\!`, or as two individual `[^\"\\x00]` characters (`\\` then `!`). The same ambiguity exists in the single-quoted title branch.\n\nWhen the input contains repeated `\\!` pairs with no closing `\"`, the regex engine exhaustively backtracks through all 2^N combinations, resulting in **exponential O(2^N) time complexity**.\n\nThis is reachable through normal Markdown parsing via two code paths:\n1. **Inline links**: `[text](url \"PAYLOAD)` \u2192 [`parse_link()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L178) \u2192 [`parse_link_title()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L169)\n2. **Block link reference definitions**: `[label]: url \"PAYLOAD` \u2192 [`BlockParser.parse_ref_link()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/block_parser.py#L220) \u2192 [`parse_link_title()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L169) at [block_parser.py#L259](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/block_parser.py#L259)\n\n### PoC\n\n```python\nimport mistune\nimport time\n\nmd = mistune.create_markdown()\n\n# Test with increasing N (number of \\! pairs)\nfor n in [15, 18, 20, 22, 25]:\n payload = \u0027[x](y \"\u0027 + \u0027\\\\!\u0027 * n + \u0027)\u0027\n start = time.time()\n md(payload)\n elapsed = time.time() - start\n print(f\"N={n:2d} len={len(payload):3d} bytes time={elapsed:.3f}s\")\n```\n\nOutput (Apple M2, Python 3.14.3, mistune 3.2.0):\n\n```\nN=15 len= 38 bytes time=0.007s\nN=18 len= 44 bytes time=0.044s\nN=20 len= 48 bytes time=0.178s\nN=22 len= 52 bytes time=0.740s\nN=25 len= 58 bytes time=5.922s\n```\n\nEach increment of N roughly doubles the execution time (consistent with O(2^N)).\n\nThe same attack works via block link reference definitions:\n\n```python\npayload = \u0027[l]: u \"\u0027 + \u0027\\\\!\u0027 * 25 # 58 bytes, ~6 seconds\nmd(payload)\n```\n\n### Impact\n\nThis is a denial of service vulnerability. Any application or service that parses user-supplied Markdown using mistune can be made unresponsive by an attacker submitting a small crafted input (under 100 bytes).\n\nAffected use cases include:\n- Web applications with Markdown-enabled input fields (comments, posts, descriptions)\n- Documentation systems that accept user contributions\n- API endpoints that process Markdown\n- Jupyter tooling such as nbconvert that relies on mistune for rendering\n\n### Suggested Fix\n\nExclude the backslash character from the catch-all character class to eliminate the alternation overlap:\n\n```python\n# Before (vulnerable):\nr\u0027\"(?:\\\\\u0027 + PUNCTUATION + r\u0027|[^\"\\x00])*\"\u0027\nr\"\u0027(?:\\\\\" + PUNCTUATION + r\"|[^\u0027\\x00])*\u0027\"\n\n# After (fixed):\nr\u0027\"(?:\\\\\u0027 + PUNCTUATION + r\u0027|[^\"\\\\\\x00])*\"\u0027\nr\"\u0027(?:\\\\\" + PUNCTUATION + r\"|[^\u0027\\\\\\x00])*\u0027\"\n```\n\nThis ensures a backslash can only be consumed by the escaped-punctuation branch, eliminating the ambiguity in both the double-quote and single-quote branches. Verified on mistune 3.2.0 (Apple M2, Python 3.14.3):\n- Reduces N=25 from 4.2 seconds to 0.000006 seconds (700,000x improvement)\n- Handles N=50 in 0.000008 seconds\n- Passes all existing functional tests (quoted titles, escaped quotes, escaped punctuation)",
"id": "GHSA-8mp2-v27r-99xp",
"modified": "2026-05-06T19:35:51Z",
"published": "2026-05-06T16:52:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33079"
},
{
"type": "PACKAGE",
"url": "https://github.com/lepture/mistune"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input"
}
GHSA-8MRC-CW5J-72JW
Vulnerability from github – Published: 2023-11-06 15:30 – Updated: 2023-11-06 15:30An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file.
{
"affected": [],
"aliases": [
"CVE-2023-3909"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-06T13:15:09Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file.",
"id": "GHSA-8mrc-cw5j-72jw",
"modified": "2023-11-06T15:30:32Z",
"published": "2023-11-06T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3909"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2050269"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/418763"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8QJW-9XGM-C9FF
Vulnerability from github – Published: 2025-06-19 16:19 – Updated: 2025-06-20 22:20Impact
What kind of vulnerability is it? Who is impacted?
This is an advisory for a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find().
To trigger polynomial ReDoS in RegexCriterion, two attacker-controlled conditions must be met:
- Control over the regex input passed into the constructor:
- Example: An attacker supplies a malicious pattern such as (.*a){10000}.
- Control or influence over the output of Identifiable.getId():
- Example: A long string like "aaaa...!" that forces excessive backtracking.
If both conditions are satisfied, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls — especially if performed over large network models or filtering operations.
While this class does not handle file or memory data directly, its reliance on untrusted regular expressions and potentially attacker-controlled identifiers makes it vulnerable to polynomial ReDoS under the right conditions. This risk is amplified when the library is used in dynamic or scriptable environments where external users control either criterion construction or network object identifiers.
Although not as dangerous as catastrophic exponential ReDoS, the polynomial pattern still induces significant performance
degradation as input size increases.
Am I impacted?
Since RegexCriterion are used to define contingencies or limit reductions, you are vulnerable if:
- you allow untrusted users to define contingency lists or limit reductions using this criterion;
- OR you load untrusted contingencies or limit reductions files
AND use them with a network containing untrusted identifiers.
Patches
com.powsybl:powsybl-iidm-criteria:6.7.2 and higher
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.7.1"
},
"package": {
"ecosystem": "Maven",
"name": "com.powsybl:powsybl-iidm-criteria"
},
"ranges": [
{
"events": [
{
"introduced": "6.3.0"
},
{
"fixed": "6.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.powsybl:powsybl-contingency-api"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48059"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-19T16:19:48Z",
"nvd_published_at": "2025-06-20T17:15:40Z",
"severity": "LOW"
},
"details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis is an advisory for a **potential polynomial Regular Expression Denial of Service (ReDoS)** vulnerability in the `RegexCriterion` class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an `Identifiable` object via `Pattern.compile(regex).matcher(id).find()`.\n\nTo trigger **polynomial ReDoS** in `RegexCriterion`, **two attacker-controlled conditions** must be met:\n- **Control over the regex input** passed into the constructor:\n - _Example:_ An attacker supplies a malicious pattern such as `(.*a){10000}`.\n- **Control or influence over the output of `Identifiable.getId()`**:\n - _Example:_ A long string like `\"aaaa...!\"` that forces excessive backtracking.\n\nIf both conditions are satisfied, a malicious actor can cause **significant CPU exhaustion** through repeated or recursive `filter(...)` calls \u2014 especially if performed over large network models or filtering operations.\nWhile this class does not handle file or memory data directly, its reliance on untrusted regular expressions and potentially attacker-controlled identifiers makes it vulnerable to **polynomial ReDoS** under the right conditions. This risk is amplified when the library is used in dynamic or scriptable environments where external users control either criterion construction or network object identifiers.\nAlthough not as dangerous as _catastrophic exponential ReDoS_, the polynomial pattern still induces significant performance\ndegradation as input size increases.\n\n#### Am I impacted?\nSince `RegexCriterion` are used to define contingencies or limit reductions, you are vulnerable if:\n- you allow untrusted users to define contingency lists or limit reductions using this criterion;\n- OR you load untrusted contingencies or limit reductions files\n\nAND use them with a network containing untrusted identifiers.\n\n### Patches\ncom.powsybl:powsybl-iidm-criteria:6.7.2 and higher\n\n### References\n[powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)",
"id": "GHSA-8qjw-9xgm-c9ff",
"modified": "2025-06-20T22:20:47Z",
"published": "2025-06-19T16:19:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-8qjw-9xgm-c9ff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48059"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/commit/d8398f689a5ccd505bd62eee2bd6670a29133110"
},
{
"type": "PACKAGE",
"url": "https://github.com/powsybl/powsybl-core"
},
{
"type": "WEB",
"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion"
}
GHSA-8R9Q-7V3J-JR4G
Vulnerability from github – Published: 2026-01-05 21:30 – Updated: 2026-07-15 18:32Impact
A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+)*)) for exploded template variables (e.g., {/id*}, {?tags*}), causing catastrophic backtracking on malicious input.
Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients.
Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients.
Affected Versions
All versions of @modelcontextprotocol/sdk prior to the patched release.
Patches
v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking.
Workarounds
- Avoid using exploded patterns (
{/id*},{?tags*}) in resource templates - Implement request timeouts and rate limiting
- Validate URIs before processing to reject suspicious patterns
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@modelcontextprotocol/sdk"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.25.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-0621"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-06T21:20:37Z",
"nvd_published_at": "2026-01-05T21:16:14Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA ReDoS vulnerability in the `UriTemplate` class allows attackers to cause denial of service. The `partToRegExp()` function generates a regex pattern with nested quantifiers (`([^/]+(?:,[^/]+)*)`) for exploded template variables (e.g., `{/id*}`, `{?tags*}`), causing catastrophic backtracking on malicious input.\n\n**Who is affected:** MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients.\n\n**Attack result:** An attacker sends a crafted URI via `resources/read` request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients.\n\n### Affected Versions\n\nAll versions of `@modelcontextprotocol/sdk` prior to the patched release.\n\n### Patches\n\nv1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking.\n\n### Workarounds\n\n- Avoid using exploded patterns (`{/id*}`, `{?tags*}`) in resource templates\n- Implement request timeouts and rate limiting\n- Validate URIs before processing to reject suspicious patterns",
"id": "GHSA-8r9q-7v3j-jr4g",
"modified": "2026-07-15T18:32:03Z",
"published": "2026-01-05T21:30:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-cqwc-fm46-7fff"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0621"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/typescript-sdk/issues/965"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/typescript-sdk/commit/7f0cf730"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/typescript-sdk/commit/b392f02ffcf37c088dbd114fedf25026ec3913d3"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelcontextprotocol/typescript-sdk"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/typescript-sdk/releases/tag/v1.25.2"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/mcp-typescript-sdk-uritemplate-exploded-array-pattern-redos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Anthropic\u0027s MCP TypeScript SDK has a ReDoS vulnerability"
}
GHSA-8RG4-CVW3-V3C2
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-07 21:30An issue in the validate_email function in CTFd/utils/validators/init.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.
{
"affected": [],
"aliases": [
"CVE-2024-46242"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T16:15:33Z",
"severity": "HIGH"
},
"details": "An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.",
"id": "GHSA-8rg4-cvw3-v3c2",
"modified": "2025-01-07T21:30:55Z",
"published": "2025-01-07T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46242"
},
{
"type": "WEB",
"url": "https://gist.github.com/salvatore-abello/4f01f3fa54672febc0a492a11a26592c"
},
{
"type": "WEB",
"url": "http://ctfd.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8V8V-G73J-492J
Vulnerability from github – Published: 2026-05-28 17:34 – Updated: 2026-05-28 17:34Description
The JsonPath component's match() and search() filter functions compile a caller-supplied pattern straight into preg_match():
'match' => @preg_match(\sprintf('/^%s$/u', $this->transformJsonPathRegex($argList[1])), $value),
'search' => @preg_match("/{$this->transformJsonPathRegex($argList[1])}/u", $value),
transformJsonPathRegex() only performs cosmetic escaping: there is no length cap, no restriction to the RFC 9485 i-regexp subset, and no bound on backtracking. An application that evaluates an attacker-influenced JSONPath expression server-side (e.g. one taken from a query parameter or API field and passed to JsonCrawler) can therefore be made to run a catastrophic-backtracking pattern such as $[?search(@, "(a+)+$")]. Evaluated against a moderately sized document, this pins a CPU core for seconds per request, so a handful of concurrent requests exhausts the worker pool: a denial of service. Because the preg_match() calls are prefixed with @, the PCRE backtrack-limit errors that would otherwise surface are suppressed, leaving no log trace.
Conditions for exploitation
An application that evaluates an attacker-influenced JSONPath expression containing a match() / search() filter against any non-trivial JSON input.
Resolution
JsonCrawler runs the preg_match() calls through a helper that lowers pcre.backtrack_limit to 10000 for the duration of the call (restoring the previous value afterwards), so a pathological pattern fails fast instead of stalling the worker.
The patch for this issue is available here for branch 7.4.
Credits
Symfony would like to thank Himanshu Anand for reporting the issue and Alexandre Daubois for providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/json-path"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/json-path"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.3.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45756"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-28T17:34:55Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\nThe `JsonPath` component\u0027s `match()` and `search()` filter functions compile a caller-supplied pattern straight into `preg_match()`:\n\n```php\n\u0027match\u0027 =\u003e @preg_match(\\sprintf(\u0027/^%s$/u\u0027, $this-\u003etransformJsonPathRegex($argList[1])), $value),\n\u0027search\u0027 =\u003e @preg_match(\"/{$this-\u003etransformJsonPathRegex($argList[1])}/u\", $value),\n```\n\n`transformJsonPathRegex()` only performs cosmetic escaping: there is no length cap, no restriction to the RFC 9485 i-regexp subset, and no bound on backtracking. An application that evaluates an attacker-influenced JSONPath expression server-side (e.g. one taken from a query parameter or API field and passed to `JsonCrawler`) can therefore be made to run a catastrophic-backtracking pattern such as `$[?search(@, \"(a+)+$\")]`. Evaluated against a moderately sized document, this pins a CPU core for seconds per request, so a handful of concurrent requests exhausts the worker pool: a denial of service. Because the `preg_match()` calls are prefixed with `@`, the PCRE backtrack-limit errors that would otherwise surface are suppressed, leaving no log trace.\n\n### Conditions for exploitation\n\nAn application that evaluates an attacker-influenced JSONPath expression containing a `match()` / `search()` filter against any non-trivial JSON input.\n\n### Resolution\n\n`JsonCrawler` runs the `preg_match()` calls through a helper that lowers `pcre.backtrack_limit` to 10000 for the duration of the call (restoring the previous value afterwards), so a pathological pattern fails fast instead of stalling the worker.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14) for branch 7.4.\n\n### Credits\n\nSymfony would like to thank Himanshu Anand for reporting the issue and Alexandre Daubois for providing the fix.",
"id": "GHSA-8v8v-g73j-492j",
"modified": "2026-05-28T17:34:55Z",
"published": "2026-05-28T17:34:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-8v8v-g73j-492j"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/1ac2d47418ec23066112db1e6ca35be6fe123d14"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/json-path/CVE-2026-45756.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45756.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45756"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony\u0027s JsonPath Evaluates Attacker-Controlled Regular Expressions in match()/search() Without Limits \u2014 ReDoS"
}
GHSA-8VJH-PXFW-4FQM
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-10-15 15:30A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function '解析项目源码(手动指定和筛选源码文件类型)' permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.
{
"affected": [],
"aliases": [
"CVE-2024-12391"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-183"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:28Z",
"severity": "MODERATE"
},
"details": "A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. The function \u0027\u89e3\u6790\u9879\u76ee\u6e90\u7801\uff08\u624b\u52a8\u6307\u5b9a\u548c\u7b5b\u9009\u6e90\u7801\u6587\u4ef6\u7c7b\u578b\uff09\u0027 permits the execution of user-provided regular expressions. Certain regular expressions can cause the Python RE engine to take exponential time to execute, leading to a Denial of Service (DoS) condition. An attacker who controls both the regular expression and the search string can exploit this vulnerability to hang the server for an arbitrary amount of time.",
"id": "GHSA-8vjh-pxfw-4fqm",
"modified": "2025-10-15T15:30:24Z",
"published": "2025-03-20T12:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12391"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/70b3f4f0-6b1b-4563-a18c-fe46502e6ba0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.