CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-968P-4WVH-CQC8
Vulnerability from github – Published: 2025-03-11 20:30 – Updated: 2025-04-16 15:39Impact
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
- You use Babel to compile regular expression named capturing groups
- You use the .replace method on a regular expression that contains named capturing groups
- Your code uses untrusted strings as the second argument of .replace
If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
- you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
- you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10
You can verify what transforms @babel/preset-env is using by enabling the debug option.
Patches
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
Workarounds
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
References
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@babel/helpers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.26.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@babel/runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.26.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@babel/runtime-corejs2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.26.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@babel/runtime-corejs3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.26.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
},
"package": {
"ecosystem": "npm",
"name": "@babel/helpers"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-alpha.0"
},
{
"fixed": "8.0.0-alpha.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
},
"package": {
"ecosystem": "npm",
"name": "@babel/runtime"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-alpha.0"
},
{
"fixed": "8.0.0-alpha.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
},
"package": {
"ecosystem": "npm",
"name": "@babel/runtime-corejs2"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-alpha.0"
},
{
"fixed": "8.0.0-alpha.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 8.0.0-alpha.16"
},
"package": {
"ecosystem": "npm",
"name": "@babel/runtime-corejs3"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0-alpha.0"
},
{
"fixed": "8.0.0-alpha.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27789"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-11T20:30:18Z",
"nvd_published_at": "2025-03-11T20:15:18Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).\n\nYour generated code is vulnerable if _all_ the following conditions are true:\n- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)\n- You use the `.replace` method on a regular expression that contains named capturing groups\n- **Your code uses untrusted strings as the second argument of `.replace`**\n\nIf you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:\n- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23\n- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10\n\nYou can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).\n\n\n### Patches\n\nThis problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It\u0027s likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.\n\nPlease note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.\n\n### Workarounds\n\nIf you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$\u003c` if it\u0027s then not followed by `\u003e` (possibly with other characters in between).\n\n### References\n\nThis vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.",
"id": "GHSA-968p-4wvh-cqc8",
"modified": "2025-04-16T15:39:50Z",
"published": "2025-03-11T20:30:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27789"
},
{
"type": "WEB",
"url": "https://github.com/babel/babel/pull/17173"
},
{
"type": "WEB",
"url": "https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4"
},
{
"type": "PACKAGE",
"url": "https://github.com/babel/babel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups"
}
GHSA-994J-5C83-R424
Vulnerability from github – Published: 2025-06-30 18:31 – Updated: 2025-06-30 21:39string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "string-math"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-45143"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-30T21:39:23Z",
"nvd_published_at": "2025-06-30T17:15:32Z",
"severity": "LOW"
},
"details": "string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.",
"id": "GHSA-994j-5c83-r424",
"modified": "2025-06-30T21:39:23Z",
"published": "2025-06-30T18:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45143"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/361608bccedb808061359481fe2f1b39"
},
{
"type": "PACKAGE",
"url": "https://github.com/devrafalko/string-math"
},
{
"type": "WEB",
"url": "https://github.com/devrafalko/string-math/blob/master/string-math.js"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/string-math%2C"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "string-math\u0027s string-math.js vulnerability can cause Regex Denial of Service (ReDoS) "
}
GHSA-997P-PQQ2-W5F5
Vulnerability from github – Published: 2024-04-12 03:30 – Updated: 2024-04-12 03:30A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
{
"affected": [],
"aliases": [
"CVE-2023-6489"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-12T01:15:57Z",
"severity": "MODERATE"
},
"details": "A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.",
"id": "GHSA-997p-pqq2-w5f5",
"modified": "2024-04-12T03:30:42Z",
"published": "2024-04-12T03:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6489"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2262450"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/433520"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-9FRC-8383-795M
Vulnerability from github – Published: 2026-05-27 21:34 – Updated: 2026-05-27 21:34Description
Symfony\Component\Yaml\Parser::cleanup() strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '#^%YAML[: ][\d.]+.*\n#u', whose [\d.]+ and .* overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized %YAML directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.
Resolution
The four regexes in Parser::cleanup() (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/yaml"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45305"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T21:34:35Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Description\n\n`Symfony\\Component\\Yaml\\Parser::cleanup()` strips the optional `%YAML` directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably `\u0027#^%YAML[: ][\\d.]+.*\\n#u\u0027`, whose `[\\d.]+` and `.*` overlap on the dot, that exhibit catastrophic backtracking on crafted input. A single oversized `%YAML` directive header (or comment / document-marker line) makes the parser hang for an arbitrarily long time, denying service.\n\n### Resolution\n\nThe four regexes in `Parser::cleanup()` (YAML directive header, leading comments, document-start marker, document-end marker) have been rewritten with possessive quantifiers and unambiguous character classes so backtracking cannot occur.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Pietro Tirenna (Shielder) for reporting the issue and Nicolas Grekas for fixing it.",
"id": "GHSA-9frc-8383-795m",
"modified": "2026-05-27T21:34:36Z",
"published": "2026-05-27T21:34:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-9frc-8383-795m"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/9749cd43c5e09b3735093623670b21b9d8a056cb"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45305.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/yaml/CVE-2026-45305.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Symfony\u0027s YAML Parser has a ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex"
}
GHSA-9H5V-PFQQ-X599
Vulnerability from github – Published: 2026-06-15 20:15 – Updated: 2026-06-15 20:15Summary
A regular expression denial-of-service (ReDoS) vulnerability has been discovered in ua-parser-js when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application that calls UAParser(headers).withClientHints(), an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device regex:
/ ([\w ]+) miui\/v?\d/i
Unlike when using the User-Agent value, which has a hard limit of UA_MAX_LENGTH = 500, when using Client Hints, values are copied without a length limit before being passed into regex parsing.
PoC
const { UAParser } = require('ua-parser-js');
const headers = {
'sec-ch-ua-platform': '"Android"',
'sec-ch-ua-mobile': '?1',
'sec-ch-ua-model': '"' + 'A '.repeat(25000) + '"'
};
const t0 = process.hrtime.bigint();
UAParser(headers).withClientHints();
const ms = Number(process.hrtime.bigint() - t0) / 1e6;
if (ms > 100) {
console.log('Potential ReDoS');
}
Impact
This vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any server-side application that uses UAParser(headers).withClientHints(). A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is availability only, there is no confidentiality or integrity impact.
Affected Versions
ua-parser-js versions >=2.0.1, <=2.0.9 are affected. The withClientHints() API is not present in version 0.7.x or 1.x.
Patches
A patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version 2.0.10 or later.
References
Credits
Thanks to @sondt99, who first reported the issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ua-parser-js"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.1"
},
{
"fixed": "2.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48125"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T20:15:02Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nA regular expression denial-of-service (ReDoS) vulnerability has been discovered in `ua-parser-js` when using the Client Hints API. By sending a crafted `Sec-CH-UA-Model` header to an application that calls `UAParser(headers).withClientHints()`, an attacker can cause the parser to spend excessive CPU time due to catastrophic backtracking in the device [regex](https://github.com/faisalman/ua-parser-js/blob/2.0.9/src/main/ua-parser.js#L615):\n\n```js\n/ ([\\w ]+) miui\\/v?\\d/i\n```\n\nUnlike when using the `User-Agent` value, which has a hard limit of `UA_MAX_LENGTH = 500`, when using Client Hints, values are copied without a length limit before being passed into regex parsing.\n\n### PoC\n\n```js\nconst { UAParser } = require(\u0027ua-parser-js\u0027);\n\nconst headers = {\n \u0027sec-ch-ua-platform\u0027: \u0027\"Android\"\u0027,\n \u0027sec-ch-ua-mobile\u0027: \u0027?1\u0027,\n \u0027sec-ch-ua-model\u0027: \u0027\"\u0027 + \u0027A \u0027.repeat(25000) + \u0027\"\u0027\n};\n\nconst t0 = process.hrtime.bigint();\nUAParser(headers).withClientHints();\nconst ms = Number(process.hrtime.bigint() - t0) / 1e6;\n\nif (ms \u003e 100) {\n console.log(\u0027Potential ReDoS\u0027);\n}\n```\n\n### Impact\n\nThis vulnerability allows an unauthenticated attacker to trigger a denial-of-service condition in any __server-side__ application that uses `UAParser(headers).withClientHints()`. A single request with a ~32,000-character model value can consume over 400ms of CPU time, with parsing time growing polynomially with input length. The impact is __availability__ only, there is no confidentiality or integrity impact.\n\n### Affected Versions\n\n`ua-parser-js` versions `\u003e=2.0.1, \u003c=2.0.9` are affected. The `withClientHints()` API is not present in version `0.7.x` or `1.x`.\n\n### Patches\n\nA patch has been released to fix the vulnerable regular expression and limit the Client Hints input. Users should update to version `2.0.10` or later.\n\n### References\n\n- [Regular expression Denial of Service - ReDoS (OWASP)](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits\n\nThanks to [@sondt99](https://github.com/sondt99), who first reported the issue.",
"id": "GHSA-9h5v-pfqq-x599",
"modified": "2026-06-15T20:15:02Z",
"published": "2026-06-15T20:15:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-9h5v-pfqq-x599"
},
{
"type": "PACKAGE",
"url": "https://github.com/faisalman/ua-parser-js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`"
}
GHSA-9H6G-PR28-7CQP
Vulnerability from github – Published: 2024-01-31 22:42 – Updated: 2025-09-03 15:21Summary
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
Details
Regex: /^data:((?:[^;];)(?:[^,])),(.)$/
Path: compile -> getAttachments -> _processDataUrl
Regex: /(] src\s=[\s"']*)(data:([^;]+);[^"'>\s]+)/
Path: _convertDataImages
PoC
https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6 https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
async function exploit() {
const MailComposer = require(\"nodemailer/lib/mail-composer\");
const MailComposerObject = new MailComposer();
// Create a malicious data URL that will cause excessive backtracking
// This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack
const maliciousDataUrl = 'data:image/png;base64,' + 'A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;'.repeat(1000) + '==';
// Call the vulnerable method with the crafted input
const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl });
}
await exploit();
Impact
ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.8"
},
"package": {
"ecosystem": "npm",
"name": "nodemailer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-31T22:42:54Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. \nAnother flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. \n\n### Details\n\nRegex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/\n\nPath: compile -\u003e getAttachments -\u003e _processDataUrl\n\nRegex: /(\u003cimg\\b[^\u003e]* src\\s*=[\\s\"\u0027]*)(data:([^;]+);[^\"\u0027\u003e\\s]+)/\n\nPath: _convertDataImages\n\n### PoC\n\nhttps://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6\nhttps://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698\n\n```js\nasync function exploit() {\n const MailComposer = require(\\\"nodemailer/lib/mail-composer\\\");\n const MailComposerObject = new MailComposer();\n\n // Create a malicious data URL that will cause excessive backtracking\n // This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack\n const maliciousDataUrl = \u0027data:image/png;base64,\u0027 + \u0027A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;\u0027.repeat(1000) + \u0027==\u0027;\n\n // Call the vulnerable method with the crafted input\n const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl });\n}\n\nawait exploit();\n```\n\n### Impact\n\nReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.",
"id": "GHSA-9h6g-pr28-7cqp",
"modified": "2025-09-03T15:21:03Z",
"published": "2024-01-31T22:42:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp"
},
{
"type": "WEB",
"url": "https://github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a"
},
{
"type": "WEB",
"url": "https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6"
},
{
"type": "WEB",
"url": "https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698"
},
{
"type": "PACKAGE",
"url": "https://github.com/nodemailer/nodemailer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "nodemailer ReDoS when trying to send a specially crafted email"
}
GHSA-9JXF-24G6-463J
Vulnerability from github – Published: 2023-12-21 03:30 – Updated: 2024-01-04 15:30An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module.
{
"affected": [],
"aliases": [
"CVE-2023-29487"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T01:15:32Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module.",
"id": "GHSA-9jxf-24g6-463j",
"modified": "2024-01-04T15:30:21Z",
"published": "2023-12-21T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29487"
},
{
"type": "WEB",
"url": "https://medium.com/%40drabek.a/weaknesses-in-heimdal-thors-line-of-products-9d0e5095fb93"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9M49-P2J3-C6XM
Vulnerability from github – Published: 2025-10-16 09:30 – Updated: 2025-11-05 20:49*** UNSUPPORTED WHEN ASSIGNED *** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control.
This issue affects Apache Traffic Control: all versions.
People with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.
As this project is retired, it is not planned to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/apache/trafficcontrol/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61581"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-16T21:14:47Z",
"nvd_published_at": "2025-10-16T09:15:35Z",
"severity": "LOW"
},
"details": "*** UNSUPPORTED WHEN ASSIGNED ***\nInefficient Regular Expression Complexity vulnerability in Apache Traffic Control.\n\nThis issue affects Apache Traffic Control: all versions.\n\nPeople with access to the management interface of the Traffic Router component could specify malicious patterns and cause unavailability.\n\nAs this project is retired, it is not planned to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-9m49-p2j3-c6xm",
"modified": "2025-11-05T20:49:23Z",
"published": "2025-10-16T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61581"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/trafficcontrol"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/mx2jxgnlop2f4vbqnvmrldh4pqmobxvp"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/10/16/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability"
}
GHSA-9QHC-GMHR-257V
Vulnerability from github – Published: 2026-03-09 21:31 – Updated: 2026-03-11 15:31An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
{
"affected": [],
"aliases": [
"CVE-2025-70030"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-09T20:16:02Z",
"severity": "HIGH"
},
"details": "An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.",
"id": "GHSA-9qhc-gmhr-257v",
"modified": "2026-03-11T15:31:37Z",
"published": "2026-03-09T21:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70030"
},
{
"type": "WEB",
"url": "https://gist.github.com/zcxlighthouse/d80812b9d90683c0ac65db656ae3cfb0"
},
{
"type": "WEB",
"url": "https://github.com/Sunbird-Ed"
},
{
"type": "WEB",
"url": "https://github.com/Sunbird-Ed/SunbirdEd-portal"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9RMH-MM8F-R9H6
Vulnerability from github – Published: 2026-05-14 20:29 – Updated: 2026-06-09 18:41An internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to svelte:element, you are safe.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.55.6"
},
"package": {
"ecosystem": "npm",
"name": "svelte"
},
"ranges": [
{
"events": [
{
"introduced": "5.51.5"
},
{
"fixed": "5.55.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42567"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T20:29:05Z",
"nvd_published_at": "2026-06-09T17:17:07Z",
"severity": "MODERATE"
},
"details": "An internal regex in the Svelte runtime can take exponential time to test in `\u003csvelte:element this={tag}\u003e\u003c/svelte:element\u003e`. You are only vulnerable to this if you allow tags of unconstrained length. If your application only allows a predetermined list of tags or trims their length before passing them to `svelte:element`, you are safe.",
"id": "GHSA-9rmh-mm8f-r9h6",
"modified": "2026-06-09T18:41:19Z",
"published": "2026-05-14T20:29:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-9rmh-mm8f-r9h6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42567"
},
{
"type": "PACKAGE",
"url": "https://github.com/sveltejs/svelte"
},
{
"type": "WEB",
"url": "https://github.com/sveltejs/svelte/releases/tag/svelte%405.55.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Svelte: ReDoS in `\u003csvelte:element\u003e` Tag Validation"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.