Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

725 vulnerabilities reference this CWE, most recent first.

GHSA-968P-4WVH-CQC8

Vulnerability from github – Published: 2025-03-11 20:30 – Updated: 2025-04-16 15:39
VLAI
Summary
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
Details

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true: - You use Babel to compile regular expression named capturing groups - You use the .replace method on a regular expression that contains named capturing groups - Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if: - you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 - you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/helpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.26.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/helpers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@babel/runtime-corejs3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0-alpha.0"
            },
            {
              "fixed": "8.0.0-alpha.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27789"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-11T20:30:18Z",
    "nvd_published_at": "2025-03-11T20:15:18Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).\n\nYour generated code is vulnerable if _all_ the following conditions are true:\n- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)\n- You use the `.replace` method on a regular expression that contains named capturing groups\n- **Your code uses untrusted strings as the second argument of `.replace`**\n\nIf you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:\n- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23\n- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10\n\nYou can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).\n\n\n### Patches\n\nThis problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It\u0027s likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.\n\nPlease note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.\n\n### Workarounds\n\nIf you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$\u003c` if it\u0027s then not followed by `\u003e` (possibly with other characters in between).\n\n### References\n\nThis vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.",
  "id": "GHSA-968p-4wvh-cqc8",
  "modified": "2025-04-16T15:39:50Z",
  "published": "2025-03-11T20:30:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/pull/17173"
    },
    {
      "type": "WEB",
      "url": "https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/babel/babel"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"
}

GHSA-994J-5C83-R424

Vulnerability from github – Published: 2025-06-30 18:31 – Updated: 2025-06-30 21:39
VLAI
Summary
string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS)
Details

string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "string-math"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-45143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-30T21:39:23Z",
    "nvd_published_at": "2025-06-30T17:15:32Z",
    "severity": "LOW"
  },
  "details": "string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.",
  "id": "GHSA-994j-5c83-r424",
  "modified": "2025-06-30T21:39:23Z",
  "published": "2025-06-30T18:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45143"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/361608bccedb808061359481fe2f1b39"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/devrafalko/string-math"
    },
    {
      "type": "WEB",
      "url": "https://github.com/devrafalko/string-math/blob/master/string-math.js"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/string-math%2C"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "string-math\u0027s string-math.js vulnerability can cause Regex Denial of Service (ReDoS) "
}

GHSA-997P-PQQ2-W5F5

Vulnerability from github – Published: 2024-04-12 03:30 – Updated: 2024-04-12 03:30
VLAI
Details

A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6489"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-12T01:15:57Z",
    "severity": "MODERATE"
  },
  "details": "A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.",
  "id": "GHSA-997p-pqq2-w5f5",
  "modified": "2024-04-12T03:30:42Z",
  "published": "2024-04-12T03:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6489"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2262450"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/433520"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9FRC-8383-795M

Vulnerability from github – Published: 2026-05-27 21:34 – Updated: 2026-05-27 21:34
VLAI
Summary
Symfony's YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
Details

Description

Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.

Resolution

The four regexes in Parser::cleanup() (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.

The patch for this issue is available here for branch 5.4.

Credits

Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.52"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.4.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/yaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-27T21:34:35Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\n`Symfony\\Component\\Yaml\\Parser::cleanup()` strips the optional `%YAML` directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably `\u0027#^%YAML[: ][\\d.]+.*\\n#u\u0027`, whose `[\\d.]+` and `.*` overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized `%YAML` directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.\n\n### Resolution\n\nThe four regexes in `Parser::cleanup()` (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.",
  "id": "GHSA-9frc-8383-795m",
  "modified": "2026-05-27T21:34:36Z",
  "published": "2026-05-27T21:34:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45305.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45305.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2026-45305"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Symfony\u0027s YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
}

GHSA-9H5V-PFQQ-X599

Vulnerability from github – Published: 2026-06-15 20:15 – Updated: 2026-06-15 20:15
VLAI
Summary
UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`
Details

Summary

A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:

/ ([\w ]+) miui\/v?\d/i

Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.

PoC

const { UAParser } = require('ua-parser-js');

const headers = {
  'sec-ch-ua-platform': '"Android"',
  'sec-ch-ua-mobile': '?1',
  'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};

const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;

if (ms > 100) {
  console.log('Potential ReDoS');
}

Impact

This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any server-side application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is availability only, there is no confidentiality or integrity impact.

Affected Versions

ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.

Patches

A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.

References

Credits

Thanks to @sondt99, who first reported the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ua-parser-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48125"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-15T20:15:02Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nA regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615):\n\n```js\n/ ([\\w ]+) miui\\/v?\\d/i\n```\n\nUnlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing.\n\n### PoC\n\n```js\nconst { UAParser } = require(\u0027ua-parser-js\u0027);\n\nconst headers = {\n  \u0027sec-ch-ua-platform\u0027: \u0027\"Android\"\u0027,\n  \u0027sec-ch-ua-mobile\u0027: \u0027?1\u0027,\n  \u0027sec-ch-ua-model\u0027: \u0027\"\u0027 + \u0027A \u0027.repeat(25000) + \u0027\"\u0027\n};\n\nconst t0 = process.hrtime.bigint();\nUAParser(headers).withClientHints();\nconst ms = Number(process.hrtime.bigint() - t0) / 1e6;\n\nif (ms \u003e 100) {\n  console.log(\u0027Potential ReDoS\u0027);\n}\n```\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.\n\n### Affected Versions\n\n`ua-parser-js` versions `\u003e=2.0.1, \u003c=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`.\n\n### Patches\n\nA patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later.\n\n### References\n\n- [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits\n\nThanks to [@sondt99](https://github.com/sondt99), who first reported the issue.",
  "id": "GHSA-9h5v-pfqq-x599",
  "modified": "2026-06-15T20:15:02Z",
  "published": "2026-06-15T20:15:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faisalman/ua-parser-js"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`"
}

GHSA-9H6G-PR28-7CQP

Vulnerability from github – Published: 2024-01-31 22:42 – Updated: 2025-09-03 15:21
VLAI
Summary
nodemailer ReDoS when trying to send a specially crafted email
Details

Summary

A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

Details

Regex: /^data:((?:[^;];)(?:[^,])),(.)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(] src\s=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6 https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

async function exploit() {
   const MailComposer = require(\"nodemailer/lib/mail-composer\");
   const MailComposerObject = new MailComposer();

   // Create a malicious data URL that will cause excessive backtracking
   // This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack
   const maliciousDataUrl = 'data:image/png;base64,' + 'A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;'.repeat(1000) + '==';

   // Call the vulnerable method with the crafted input
   const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl });
}

await exploit();

Impact

ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.9.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nodemailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T22:42:54Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -\u003e getAttachments -\u003e _processDataUrl\n\nRegex: /(\u003cimg\\b[^\u003e]* src\\s*=[\\s\"\u0027]*)(data:([^;]+);[^\"\u0027\u003e\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n```js\nasync function exploit() {\n   const MailComposer = require(\\\"nodemailer/lib/mail-composer\\\");\n   const MailComposerObject = new MailComposer();\n\n   // Create a malicious data URL that will cause excessive backtracking\n   // This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack\n   const maliciousDataUrl = \u0027data:image/png;base64,\u0027 + \u0027A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;\u0027.repeat(1000) + \u0027==\u0027;\n\n   // Call the vulnerable method with the crafted input\n   const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl });\n}\n\nawait exploit();\n```\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.",
  "id": "GHSA-9h6g-pr28-7cqp",
  "modified": "2025-09-03T15:21:03Z",
  "published": "2024-01-31T22:42:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nodemailer/nodemailer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nodemailer ReDoS when trying to send a specially crafted email"
}

GHSA-9JXF-24G6-463J

Vulnerability from github – Published: 2023-12-21 03:30 – Updated: 2024-01-04 15:30
VLAI
Details

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29487"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-21T01:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module.",
  "id": "GHSA-9jxf-24g6-463j",
  "modified": "2024-01-04T15:30:21Z",
  "published": "2023-12-21T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29487"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40drabek.a/weaknesses-in-heimdal-thors-line-of-products-9d0e5095fb93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9M49-P2J3-C6XM

Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-11-05 20:49
VLAI
Summary
Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability
Details

*** UNSUPPORTED WHEN ASSIGNED *** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.

This issue affects Apache Traffic Control: all versions.

People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.

As this project is retired, it is not planned to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/apache/trafficcontrol/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "8.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-16T21:14:47Z",
    "nvd_published_at": "2025-10-16T09:15:35Z",
    "severity": "LOW"
  },
  "details": "*** UNSUPPORTED WHEN ASSIGNED ***\nInefficient Regular Expression Complexity vulnerability in Apache Traffic Control.\n\nThis issue affects Apache Traffic Control: all versions.\n\nPeople with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.\n\nAs this project is retired, it is not planned to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-9m49-p2j3-c6xm",
  "modified": "2025-11-05T20:49:23Z",
  "published": "2025-10-16T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61581"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/trafficcontrol"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/16/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability"
}

GHSA-9QHC-GMHR-257V

Vulnerability from github – Published: 2026-03-09 21:31 – Updated: 2026-03-11 15:31
VLAI
Details

An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-70030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-09T20:16:02Z",
    "severity": "HIGH"
  },
  "details": "An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.",
  "id": "GHSA-9qhc-gmhr-257v",
  "modified": "2026-03-11T15:31:37Z",
  "published": "2026-03-09T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70030"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/zcxlighthouse/d80812b9d90683c0ac65db656ae3cfb0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sunbird-Ed"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sunbird-Ed/SunbirdEd-portal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9RMH-MM8F-R9H6

Vulnerability from github – Published: 2026-05-14 20:29 – Updated: 2026-06-09 18:41
VLAI
Summary
Svelte: ReDoS in `<svelte:element>` Tag Validation
Details

An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.55.6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "svelte"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.51.5"
            },
            {
              "fixed": "5.55.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42567"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T20:29:05Z",
    "nvd_published_at": "2026-06-09T17:17:07Z",
    "severity": "MODERATE"
  },
  "details": "An internal regex in the Svelte runtime can take exponential time to test in `\u003csvelte:element this={tag}\u003e\u003c/svelte:element\u003e`. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to `svelte:element`, you are safe.",
  "id": "GHSA-9rmh-mm8f-r9h6",
  "modified": "2026-06-09T18:41:19Z",
  "published": "2026-05-14T20:29:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42567"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sveltejs/svelte"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Svelte: ReDoS in `\u003csvelte:element\u003e` Tag Validation"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.