CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-CHRC-Q6V3-JFV8
Vulnerability from github – Published: 2023-05-24 18:30 – Updated: 2023-05-24 21:56Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.liferay.portal:release.portal.bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.3.48"
},
{
"fixed": "7.4.3.77"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33950"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-05-24T21:56:12Z",
"nvd_published_at": "2023-05-24T17:15:10Z",
"severity": "MODERATE"
},
"details": "Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an excessive amount of server resources via crafted request URLs.",
"id": "GHSA-chrc-q6v3-jfv8",
"modified": "2023-05-24T21:56:12Z",
"published": "2023-05-24T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33950"
},
{
"type": "PACKAGE",
"url": "https://github.com/liferay/liferay-portal"
},
{
"type": "WEB",
"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2023-33950"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Liferay Portal has Inefficient Regular Expression"
}
GHSA-CHW2-6C7R-37P7
Vulnerability from github – Published: 2022-08-25 00:00 – Updated: 2023-03-20 20:09An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the "URI.expand" method.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "uri-template-lite"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "22.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43309"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-01T22:21:35Z",
"nvd_published_at": "2022-08-24T16:15:00Z",
"severity": "MODERATE"
},
"details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the \"URI.expand\" method.",
"id": "GHSA-chw2-6c7r-37p7",
"modified": "2023-03-20T20:09:43Z",
"published": "2022-08-25T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43309"
},
{
"type": "WEB",
"url": "https://github.com/litejs/uri-template-lite/commit/cbeec2b2a275d819fb534137a155df14729706f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/litejs/uri-template-lite"
},
{
"type": "WEB",
"url": "https://github.com/litejs/uri-template-lite/commits/v22.9.0"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/uri-template-lite-redos-xray-211351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "uri-template-lite Regular Expression Denial of Service"
}
GHSA-CJ83-2WW7-MVQ7
Vulnerability from github – Published: 2024-07-03 17:03 – Updated: 2024-11-05 18:12Summary
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted Accept-Encoding or Accept-Language headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).
Details
The fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39316"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-03T17:03:45Z",
"nvd_published_at": "2024-07-02T16:15:04Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).\n\n### Details\n\nThe fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.",
"id": "GHSA-cj83-2ww7-mvq7",
"modified": "2024-11-05T18:12:49Z",
"published": "2024-07-03T17:03:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39316"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058"
},
{
"type": "WEB",
"url": "https://advisory.dw1.io/61"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack ReDoS Vulnerability in HTTP Accept Headers Parsing"
}
GHSA-CJ88-88MR-972W
Vulnerability from github – Published: 2022-07-18 17:03 – Updated: 2025-04-14 22:13glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.
This vulnerability is separate from GHSA-ww39-953v-wcq6.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "glob-parent"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.0.0"
]
}
],
"aliases": [
"CVE-2021-35065"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-18T17:03:23Z",
"nvd_published_at": "2022-12-26T07:15:00Z",
"severity": "HIGH"
},
"details": "glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.\n\nThis vulnerability is separate from [GHSA-ww39-953v-wcq6](https://github.com/advisories/GHSA-ww39-953v-wcq6).",
"id": "GHSA-cj88-88mr-972w",
"modified": "2025-04-14T22:13:25Z",
"published": "2022-07-18T17:03:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"type": "WEB",
"url": "https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1103"
},
{
"type": "WEB",
"url": "https://github.com/gulpjs/glob-parent/pull/49"
},
{
"type": "WEB",
"url": "https://github.com/gulpjs/glob-parent/commit/32f6d52663b7addac38d0dff570d8127edf03f47"
},
{
"type": "WEB",
"url": "https://github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339"
},
{
"type": "PACKAGE",
"url": "https://github.com/gulpjs/glob-parent"
},
{
"type": "WEB",
"url": "https://github.com/gulpjs/glob-parent/releases/tag/v6.0.1"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230214-0010"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
},
{
"type": "WEB",
"url": "https://www.mend.io/vulnerability-database/CVE-2021-35065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service"
}
GHSA-CJW9-GHJ4-FWXF
Vulnerability from github – Published: 2026-04-09 16:41 – Updated: 2026-04-09 19:05⚠️ IMPORTANT CLARIFICATIONS
### Affected Configurations
This vulnerability ONLY affects applications that:
- Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
- Configure patterns susceptible to catastrophic backtracking
- Example: allowedAud: /^(a+)+X$/ ← VULNERABLE
- Example: allowedAud: "api.company.com" ← SAFE
### Not Affected - Applications using string patterns for audience validation (most common) - Applications using safe RegExp patterns without nested quantifiers - Default fast-jwt configurations
### Assessment Guide
To determine if you're affected:
1. Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (/pattern/ or new RegExp())
2. If yes, review the pattern for nested quantifiers like (a+)+, (.*)*, etc.
3. If no RegExp usage, you are NOT affected
Summary
A denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression.
Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.
This occurs with a validly signed JWT, making the issue exploitable in authenticated contexts such as:
-
API gateways
-
authentication middleware
-
service-to-service communication
-
OAuth / OIDC token validation pipelines
Affected Component
-
Library: fast-jwt
-
Version tested: 6.1.0
-
Runtime: Node.js v24.13.1
-
Feature: claim validation using
allowedAud: RegExp
Impact
CPU exhaustion / Denial of Service
A crafted JWT causes verification to take multiple seconds per request due to catastrophic regex backtracking.
Measured verification times
Input size (n) | Verification time -- | -- 24 | ~123 ms 28 | ~1.97 s 30 | ~7.85 sThis is sufficient to:
-
block Node.js event loop threads
-
degrade API throughput
-
cause cascading service failures
-
increase serverless execution costs
-
saturate authentication infrastructure
Root Cause
The library allows regular expressions in claim validation:
allowedAud: /^(a+)+X$/
The aud claim is attacker-controlled:
aud = "a".repeat(n) + "Y"
This creates catastrophic backtracking in the JavaScript regex engine.
Verification time grows exponentially as input length increases.
Exploitability
Attack requires:
-
a valid signed JWT (post-authentication context)
-
attacker control over the
audclaim -
a vulnerable regex configured by the application
Common real-world scenarios
-
shared HS secrets
-
internal JWT issuance
-
microservice authentication
-
OAuth / OIDC custom audiences
-
internal service tokens
Proof of Concept
Reproduction steps
-
Install
fast-jwt -
Configure verifier with a RegExp in
allowedAud -
Send a valid signed JWT with adversarial
aud
Attached artifacts
-
poc-suite-redos-fastjwt.js -
evidence-redos-fastjwt.json
Observed behavior
Verification CPU time increases from milliseconds to multiple seconds as input length grows.
Security Classification
-
CWE-1333: Inefficient Regular Expression
-
CWE-400: Uncontrolled Resource Consumption
-
Class: Authenticated Denial of Service
Expected Behavior
The library should prevent unbounded CPU work on attacker-controlled claims.
Possible mitigations
-
safe-regex validation
-
maximum length enforcement for claims
-
regex complexity limits
-
documentation warning about ReDoS risks when using RegExp-based validation
Notes
Signature verification occurs before claim validation, therefore this is not a pre-authentication DoS.
However, the vulnerability remains exploitable in authenticated or token-bearing contexts and can significantly impact production environments.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.0"
},
"package": {
"ecosystem": "npm",
"name": "fast-jwt"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "6.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35041"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T16:41:40Z",
"nvd_published_at": "2026-04-09T16:16:27Z",
"severity": "MODERATE"
},
"details": "## \u26a0\ufe0f IMPORTANT CLARIFICATIONS\n\n ### Affected Configurations\n This vulnerability ONLY affects applications that:\n - Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options\n - Configure patterns susceptible to catastrophic backtracking\n - Example: `allowedAud: /^(a+)+X$/` \u2190 VULNERABLE\n - Example: `allowedAud: \"api.company.com\"` \u2190 SAFE\n\n ### Not Affected\n - Applications using string patterns for audience validation (most common)\n - Applications using safe RegExp patterns without nested quantifiers\n - Default fast-jwt configurations\n\n ### Assessment Guide\n To determine if you\u0027re affected:\n 1. Check ifallowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce use RegExp objects (`/pattern/` or `new RegExp()`)\n 2. If yes, review the pattern for nested quantifiers like `(a+)+`, `(.*)*`, etc.\n 3. If no RegExp usage, you are NOT affected\n\n------\n\n\u003chtml\u003e\n\u003cbody\u003e\n\u003c!--StartFragment--\u003e\u003ch2 data-start=\"218\" data-end=\"228\"\u003eSummary\u003c/h2\u003e\n\u003cp data-start=\"230\" data-end=\"364\"\u003eA denial-of-service condition exists in \u003ccode data-start=\"270\" data-end=\"280\"\u003efast-jwt\u003c/code\u003e when the \u003ccode data-start=\"290\" data-end=\"302\"\u003eallowedAud\u003c/code\u003e verification option is configured using a regular expression.\u003c/p\u003e\n\u003cp data-start=\"366\" data-end=\"618\"\u003eBecause the \u003ccode data-start=\"378\" data-end=\"383\"\u003eaud\u003c/code\u003e claim is attacker-controlled and the library evaluates it against the supplied \u003ccode data-start=\"463\" data-end=\"471\"\u003eRegExp\u003c/code\u003e, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification.\u003c/p\u003e\n\u003cp data-start=\"620\" data-end=\"726\"\u003eThis occurs with a \u003cstrong data-start=\"639\" data-end=\"661\"\u003evalidly signed JWT\u003c/strong\u003e, making the issue exploitable in authenticated contexts such as:\u003c/p\u003e\n\u003cul data-start=\"728\" data-end=\"855\"\u003e\n\u003cli data-start=\"728\" data-end=\"744\"\u003e\n\u003cp data-start=\"730\" data-end=\"744\"\u003eAPI gateways\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"745\" data-end=\"774\"\u003e\n\u003cp data-start=\"747\" data-end=\"774\"\u003eauthentication middleware\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"775\" data-end=\"811\"\u003e\n\u003cp data-start=\"777\" data-end=\"811\"\u003eservice-to-service communication\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"812\" data-end=\"855\"\u003e\n\u003cp data-start=\"814\" data-end=\"855\"\u003eOAuth / OIDC token validation pipelines\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"857\" data-end=\"860\"\u003e\n\u003ch2 data-start=\"862\" data-end=\"883\"\u003eAffected Component\u003c/h2\u003e\n\u003cul data-start=\"885\" data-end=\"1035\"\u003e\n\u003cli data-start=\"885\" data-end=\"910\"\u003e\n\u003cp data-start=\"887\" data-end=\"910\"\u003e\u003cstrong data-start=\"887\" data-end=\"899\"\u003eLibrary:\u003c/strong\u003e fast-jwt\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"911\" data-end=\"940\"\u003e\n\u003cp data-start=\"913\" data-end=\"940\"\u003e\u003cstrong data-start=\"913\" data-end=\"932\"\u003eVersion tested:\u003c/strong\u003e 6.1.0\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"941\" data-end=\"974\"\u003e\n\u003cp data-start=\"943\" data-end=\"974\"\u003e\u003cstrong data-start=\"943\" data-end=\"955\"\u003eRuntime:\u003c/strong\u003e Node.js v24.13.1\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"975\" data-end=\"1035\"\u003e\n\u003cp data-start=\"977\" data-end=\"1035\"\u003e\u003cstrong data-start=\"977\" data-end=\"989\"\u003eFeature:\u003c/strong\u003e claim validation using \u003ccode data-start=\"1013\" data-end=\"1033\"\u003eallowedAud: RegExp\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"1037\" data-end=\"1040\"\u003e\n\u003ch2 data-start=\"1042\" data-end=\"1051\"\u003eImpact\u003c/h2\u003e\n\u003cp data-start=\"1053\" data-end=\"1091\"\u003e\u003cstrong data-start=\"1053\" data-end=\"1091\"\u003eCPU exhaustion / Denial of Service\u003c/strong\u003e\u003c/p\u003e\n\u003cp data-start=\"1093\" data-end=\"1203\"\u003eA crafted JWT causes verification to take multiple seconds per request due to catastrophic regex backtracking.\u003c/p\u003e\n\u003ch3 data-start=\"1205\" data-end=\"1236\"\u003eMeasured verification times\u003c/h3\u003e\n\u003cdiv class=\"TyagGW_tableContainer\"\u003e\u003cdiv tabindex=\"-1\" class=\"group TyagGW_tableWrapper flex flex-col-reverse w-fit\"\u003e\nInput size (n) | Verification time\n-- | --\n24 | ~123 ms\n28 | ~1.97 s\n30 | ~7.85 s\n\n\u003c/div\u003e\u003c/div\u003e\n\u003cp data-start=\"1339\" data-end=\"1361\"\u003eThis is sufficient to:\u003c/p\u003e\n\u003cul data-start=\"1363\" data-end=\"1546\"\u003e\n\u003cli data-start=\"1363\" data-end=\"1399\"\u003e\n\u003cp data-start=\"1365\" data-end=\"1399\"\u003eblock Node.js event loop threads\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1400\" data-end=\"1426\"\u003e\n\u003cp data-start=\"1402\" data-end=\"1426\"\u003edegrade API throughput\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1427\" data-end=\"1463\"\u003e\n\u003cp data-start=\"1429\" data-end=\"1463\"\u003ecause cascading service failures\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1464\" data-end=\"1503\"\u003e\n\u003cp data-start=\"1466\" data-end=\"1503\"\u003eincrease serverless execution costs\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1504\" data-end=\"1546\"\u003e\n\u003cp data-start=\"1506\" data-end=\"1546\"\u003esaturate authentication infrastructure\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"1548\" data-end=\"1551\"\u003e\n\u003ch2 data-start=\"1553\" data-end=\"1566\"\u003eRoot Cause\u003c/h2\u003e\n\u003cp data-start=\"1568\" data-end=\"1627\"\u003eThe library allows regular expressions in claim validation:\u003c/p\u003e\n\u003cpre class=\"overflow-visible! px-0!\" data-start=\"1629\" data-end=\"1661\"\u003e\u003cdiv class=\"w-full my-4\"\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"relative\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl\"\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-4 top-12 bottom-4\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-border-light\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-px top-0 bottom-96\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-bg-elevated-secondary\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary\"\u003e\u003cdiv class=\"relative z-0 flex max-w-full\"\u003e\u003cdiv id=\"code-block-viewer\" dir=\"ltr\" class=\"q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch \u037cd \u037cr\"\u003e\u003cdiv class=\"cm-scroller\"\u003e\u003cdiv class=\"cm-content q9tKkq_readonly\"\u003e\u003cspan class=\"\u037co\"\u003eallowedAud\u003c/span\u003e\u003cspan\u003e: \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e/^(a+)+X$/\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\n\u003cp data-start=\"1663\" data-end=\"1702\"\u003eThe \u003ccode data-start=\"1667\" data-end=\"1672\"\u003eaud\u003c/code\u003e claim is attacker-controlled:\u003c/p\u003e\n\u003cpre class=\"overflow-visible! px-0!\" data-start=\"1704\" data-end=\"1739\"\u003e\u003cdiv class=\"w-full my-4\"\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"relative\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"h-full min-h-0 min-w-0\"\u003e\u003cdiv class=\"border corner-superellipse/1.1 border-token-border-light bg-token-bg-elevated-secondary rounded-3xl\"\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-4 top-12 bottom-4\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-border-light\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"pointer-events-none absolute inset-x-px top-0 bottom-96\"\u003e\u003cdiv class=\"pointer-events-none sticky z-40 shrink-0 z-1!\"\u003e\u003cdiv class=\"sticky bg-token-bg-elevated-secondary\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"corner-superellipse/1.1 rounded-3xl bg-token-bg-elevated-secondary\"\u003e\u003cdiv class=\"relative z-0 flex max-w-full\"\u003e\u003cdiv id=\"code-block-viewer\" dir=\"ltr\" class=\"q9tKkq_viewer cm-editor z-10 light:cm-light dark:cm-light flex h-full w-full flex-col items-stretch \u037cd \u037cr\"\u003e\u003cdiv class=\"cm-scroller\"\u003e\u003cdiv class=\"cm-content q9tKkq_readonly\"\u003e\u003cspan class=\"\u037cm\"\u003eaud\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e=\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e\"a\"\u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e.\u003c/span\u003e\u003cspan\u003erepeat(\u003c/span\u003e\u003cspan class=\"\u037cm\"\u003en\u003c/span\u003e\u003cspan\u003e) \u003c/span\u003e\u003cspan class=\"\u037cg\"\u003e+\u003c/span\u003e\u003cspan\u003e \u003c/span\u003e\u003cspan class=\"\u037ck\"\u003e\"Y\"\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv class=\"\"\u003e\u003cdiv class=\"\"\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/pre\u003e\n\u003cp data-start=\"1741\" data-end=\"1811\"\u003eThis creates catastrophic backtracking in the JavaScript regex engine.\u003c/p\u003e\n\u003cp data-start=\"1813\" data-end=\"1881\"\u003eVerification time grows \u003cstrong data-start=\"1837\" data-end=\"1854\"\u003eexponentially\u003c/strong\u003e as input length increases.\u003c/p\u003e\n\u003chr data-start=\"1883\" data-end=\"1886\"\u003e\n\u003ch2 data-start=\"1888\" data-end=\"1905\"\u003eExploitability\u003c/h2\u003e\n\u003cp data-start=\"1907\" data-end=\"1923\"\u003eAttack requires:\u003c/p\u003e\n\u003cul data-start=\"1925\" data-end=\"2066\"\u003e\n\u003cli data-start=\"1925\" data-end=\"1975\"\u003e\n\u003cp data-start=\"1927\" data-end=\"1975\"\u003ea valid signed JWT (post-authentication context)\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"1976\" data-end=\"2015\"\u003e\n\u003cp data-start=\"1978\" data-end=\"2015\"\u003eattacker control over the \u003ccode data-start=\"2004\" data-end=\"2009\"\u003eaud\u003c/code\u003e claim\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2016\" data-end=\"2066\"\u003e\n\u003cp data-start=\"2018\" data-end=\"2066\"\u003ea vulnerable regex configured by the application\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 data-start=\"2068\" data-end=\"2099\"\u003eCommon real-world scenarios\u003c/h3\u003e\n\u003cul data-start=\"2101\" data-end=\"2232\"\u003e\n\u003cli data-start=\"2101\" data-end=\"2120\"\u003e\n\u003cp data-start=\"2103\" data-end=\"2120\"\u003eshared HS secrets\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2121\" data-end=\"2144\"\u003e\n\u003cp data-start=\"2123\" data-end=\"2144\"\u003einternal JWT issuance\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2145\" data-end=\"2174\"\u003e\n\u003cp data-start=\"2147\" data-end=\"2174\"\u003emicroservice authentication\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2175\" data-end=\"2206\"\u003e\n\u003cp data-start=\"2177\" data-end=\"2206\"\u003eOAuth / OIDC custom audiences\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2207\" data-end=\"2232\"\u003e\n\u003cp data-start=\"2209\" data-end=\"2232\"\u003einternal service tokens\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"2234\" data-end=\"2237\"\u003e\n\u003ch2 data-start=\"2239\" data-end=\"2258\"\u003eProof of Concept\u003c/h2\u003e\n\u003ch3 data-start=\"2260\" data-end=\"2282\"\u003eReproduction steps\u003c/h3\u003e\n\u003col data-start=\"2284\" data-end=\"2407\"\u003e\n\u003cli data-start=\"2284\" data-end=\"2305\"\u003e\n\u003cp data-start=\"2287\" data-end=\"2305\"\u003eInstall \u003ccode data-start=\"2295\" data-end=\"2305\"\u003efast-jwt\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2306\" data-end=\"2357\"\u003e\n\u003cp data-start=\"2309\" data-end=\"2357\"\u003eConfigure verifier with a RegExp in \u003ccode data-start=\"2345\" data-end=\"2357\"\u003eallowedAud\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2358\" data-end=\"2407\"\u003e\n\u003cp data-start=\"2361\" data-end=\"2407\"\u003eSend a valid signed JWT with adversarial \u003ccode data-start=\"2402\" data-end=\"2407\"\u003eaud\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch3 data-start=\"2409\" data-end=\"2431\"\u003eAttached artifacts\u003c/h3\u003e\n\u003cul data-start=\"2433\" data-end=\"2495\"\u003e\n\u003cli data-start=\"2433\" data-end=\"2463\"\u003e\n\u003cp data-start=\"2435\" data-end=\"2463\"\u003e\u003ccode data-start=\"2435\" data-end=\"2463\"\u003epoc-suite-redos-fastjwt.js\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2464\" data-end=\"2495\"\u003e\n\u003cp data-start=\"2466\" data-end=\"2495\"\u003e\u003ccode data-start=\"2466\" data-end=\"2495\"\u003eevidence-redos-fastjwt.json\u003c/code\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3 data-start=\"2497\" data-end=\"2518\"\u003eObserved behavior\u003c/h3\u003e\n\u003cp data-start=\"2520\" data-end=\"2612\"\u003eVerification CPU time increases from milliseconds to multiple seconds as input length grows.\u003c/p\u003e\n\u003chr data-start=\"2614\" data-end=\"2617\"\u003e\n\u003ch2 data-start=\"2619\" data-end=\"2645\"\u003eSecurity Classification\u003c/h2\u003e\n\u003cul data-start=\"2647\" data-end=\"2793\"\u003e\n\u003cli data-start=\"2647\" data-end=\"2695\"\u003e\n\u003cp data-start=\"2649\" data-end=\"2695\"\u003e\u003cstrong data-start=\"2649\" data-end=\"2662\"\u003eCWE-1333:\u003c/strong\u003e Inefficient Regular Expression\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2696\" data-end=\"2746\"\u003e\n\u003cp data-start=\"2698\" data-end=\"2746\"\u003e\u003cstrong data-start=\"2698\" data-end=\"2710\"\u003eCWE-400:\u003c/strong\u003e Uncontrolled Resource Consumption\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2747\" data-end=\"2793\"\u003e\n\u003cp data-start=\"2749\" data-end=\"2793\"\u003e\u003cstrong data-start=\"2749\" data-end=\"2759\"\u003eClass:\u003c/strong\u003e Authenticated Denial of Service\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"2795\" data-end=\"2798\"\u003e\n\u003ch2 data-start=\"2800\" data-end=\"2820\"\u003eExpected Behavior\u003c/h2\u003e\n\u003cp data-start=\"2822\" data-end=\"2898\"\u003eThe library should prevent unbounded CPU work on attacker-controlled claims.\u003c/p\u003e\n\u003ch3 data-start=\"2900\" data-end=\"2924\"\u003ePossible mitigations\u003c/h3\u003e\n\u003cul data-start=\"2926\" data-end=\"3092\"\u003e\n\u003cli data-start=\"2926\" data-end=\"2949\"\u003e\n\u003cp data-start=\"2928\" data-end=\"2949\"\u003esafe-regex validation\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2950\" data-end=\"2989\"\u003e\n\u003cp data-start=\"2952\" data-end=\"2989\"\u003emaximum length enforcement for claims\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"2990\" data-end=\"3015\"\u003e\n\u003cp data-start=\"2992\" data-end=\"3015\"\u003eregex complexity limits\u003c/p\u003e\n\u003c/li\u003e\n\u003cli data-start=\"3016\" data-end=\"3092\"\u003e\n\u003cp data-start=\"3018\" data-end=\"3092\"\u003edocumentation warning about ReDoS risks when using RegExp-based validation\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr data-start=\"3094\" data-end=\"3097\"\u003e\n\u003ch2 data-start=\"3099\" data-end=\"3107\"\u003eNotes\u003c/h2\u003e\n\u003cp data-start=\"3109\" data-end=\"3215\"\u003eSignature verification occurs before claim validation, therefore this is \u003cstrong data-start=\"3182\" data-end=\"3214\"\u003enot a pre-authentication DoS\u003c/strong\u003e.\u003c/p\u003e\n\u003cp data-start=\"3217\" data-end=\"3360\"\u003eHowever, the vulnerability remains exploitable in authenticated or token-bearing contexts and can significantly impact production environments.\u003c/p\u003e\u003c!--EndFragment--\u003e\n\u003c/body\u003e\n\u003c/html\u003e",
"id": "GHSA-cjw9-ghj4-fwxf",
"modified": "2026-04-09T19:05:16Z",
"published": "2026-04-09T16:41:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nearform/fast-jwt/security/advisories/GHSA-cjw9-ghj4-fwxf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35041"
},
{
"type": "WEB",
"url": "https://github.com/nearform/fast-jwt/pull/595"
},
{
"type": "WEB",
"url": "https://github.com/nearform/fast-jwt/commit/b0be0ca161593836a153d5180ca5358ad9b5de94"
},
{
"type": "PACKAGE",
"url": "https://github.com/nearform/fast-jwt"
},
{
"type": "WEB",
"url": "https://github.com/nearform/fast-jwt/releases/tag/v6.2.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification"
}
GHSA-CMCX-XHR8-3W9P
Vulnerability from github – Published: 2020-02-20 23:26 – Updated: 2024-02-08 22:49Impact
Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
Patches
Please update uap-core to >= v0.7.3
Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.
Details
Each vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.
Regex 1:
\bSmartWatch *\( *([^;]+) *; *([^;]+) *;
is vulnerable in portion *([^;]+) * and can be attacked with
"SmartWatch(" + (" " * 3500) + "z"
e.g.
SmartWatch( z
Regex 2:
; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\d+[^\);]+)[^\);]*\)
is vulnerable in portion \d+[^\);]+[^\);]* and can be attacked with
";A Build HuaweiA" + ("4" * 3500) + "z"
Regex 3:
(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\)
is vulnerable in portion *([^;]*) * and can be attacked with
"HbbTV/0.0.0 (;LGE;" + (" " * 3500) + "z"
Regex 4:
(HbbTV)/[0-9]+\.[0-9]+\.[0-9]+ \([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;
is vulnerable in portions *(?:CUS:([^;]*)|([^;]+)) * and *([^;]*) * and can be attacked with
"HbbTV/0.0.0 (;CUS:;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;" + (" " * 3500) + "z"
"HbbTV/0.0.0 (;z;" + (" " * 3500) + "z"
Reported by Ben Caller @bcaller
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "uap-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "user_agent_parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5243"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2020-02-20T23:09:32Z",
"nvd_published_at": "2020-02-21T00:15:10Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nSome regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.\n\n### Patches\n\nPlease update uap-core to \u0026amp;amp;gt;= v0.7.3\n\nDownstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.\n\n### Details\n\nEach vulnerable regular expression reported here contains 3 overlapping capture groups. Backtracking has approximately cubic time complexity with respect to the length of the user-agent string.\n\n#### Regex 1:\n\n```\n\\bSmartWatch *\\( *([^;]+) *; *([^;]+) *;\n```\n\nis vulnerable in portion ` *([^;]+) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;SmartWatch(\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\ne.g.\n```\nSmartWatch( z\n```\n\n\n#### Regex 2:\n\n```\n; *([^;/]+) Build[/ ]Huawei(MT1-U06|[A-Z]+\\d+[^\\);]+)[^\\);]*\\)\n```\n\nis vulnerable in portion `\\d+[^\\);]+[^\\);]*` and can be attacked with\n\n```python\n\u0026amp;amp;quot;;A Build HuaweiA\u0026amp;amp;quot; + (\u0026amp;amp;quot;4\u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\n\n#### Regex 3:\n\n```\n(HbbTV)/[0-9]+\\.[0-9]+\\.[0-9]+ \\([^;]*; *(LG)E *; *([^;]*) *;[^;]*;[^;]*;\\)\n```\n\nis vulnerable in portion ` *([^;]*) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;HbbTV/0.0.0 (;LGE;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\n#### Regex 4:\n\n```\n(HbbTV)/[0-9]+\\.[0-9]+\\.[0-9]+ \\([^;]*; *(?:CUS:([^;]*)|([^;]+)) *; *([^;]*) *;.*;\n```\n\nis vulnerable in portions ` *(?:CUS:([^;]*)|([^;]+)) *` and ` *([^;]*) *` and can be attacked with\n\n```python\n\u0026amp;amp;quot;HbbTV/0.0.0 (;CUS:;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n\u0026amp;amp;quot;HbbTV/0.0.0 (;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n\u0026amp;amp;quot;HbbTV/0.0.0 (;z;\u0026amp;amp;quot; + (\u0026amp;amp;quot; \u0026amp;amp;quot; * 3500) + \u0026amp;amp;quot;z\u0026amp;amp;quot;\n```\n\nReported by Ben Caller @bcaller",
"id": "GHSA-cmcx-xhr8-3w9p",
"modified": "2024-02-08T22:49:51Z",
"published": "2020-02-20T23:26:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p"
},
{
"type": "WEB",
"url": "https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5243"
},
{
"type": "WEB",
"url": "https://github.com/ua-parser/uap-core/commit/0afd61ed85396a3b5316f18bfd1edfaadf8e88e1"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/user_agent_parser/CVE-2020-5243.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in uap-core when processing crafted User-Agent strings"
}
GHSA-CMHX-CQ75-C4MJ
Vulnerability from github – Published: 2021-08-04 21:03 – Updated: 2023-02-21 18:57A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "System.Text.RegularExpressions"
},
"ranges": [
{
"events": [
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-0820"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-04T21:03:27Z",
"nvd_published_at": "2019-05-16T19:29:00Z",
"severity": "HIGH"
},
"details": "A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka \u0027.NET Framework and .NET Core Denial of Service Vulnerability\u0027. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.",
"id": "GHSA-cmhx-cq75-c4mj",
"modified": "2023-02-21T18:57:08Z",
"published": "2021-08-04T21:03:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0820"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:1259"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0820"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in System.Text.RegularExpressions"
}
GHSA-CPH5-M8F7-6C5X
Vulnerability from github – Published: 2021-09-01 18:23 – Updated: 2022-09-14 21:28axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3749"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-01T18:14:02Z",
"nvd_published_at": "2021-08-31T11:15:00Z",
"severity": "HIGH"
},
"details": "axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity.",
"id": "GHSA-cph5-m8f7-6c5x",
"modified": "2022-09-14T21:28:32Z",
"published": "2021-09-01T18:23:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3749"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/axios"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "axios Inefficient Regular Expression Complexity vulnerability"
}
GHSA-CQF7-FF9H-7967
Vulnerability from github – Published: 2022-05-17 00:48 – Updated: 2024-09-18 16:17validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "1.8a1"
},
{
"fixed": "1.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-5145"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T19:54:38Z",
"nvd_published_at": "2015-07-14T17:59:00Z",
"severity": "HIGH"
},
"details": "`validators.URLValidator` in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.",
"id": "GHSA-cqf7-ff9h-7967",
"modified": "2024-09-18T16:17:40Z",
"published": "2022-05-17T00:48:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5145"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/8f9a4d3a2bc42f14bb437defd30c7315adbff22c"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/django/django/blob/4555a823fd57e261e1b19c778429473256c8ea08/docs/releases/1.8.3.txt#L63-L68"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2015-21.yaml"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201510-06"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20150924150801/http://www.securitytracker.com/id/1032820"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170526042302/http://www.securityfocus.com/bid/75691"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2015/jul/08/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django ReDoS in validators.URLValidator"
}
GHSA-CQFH-C4C5-C2HG
Vulnerability from github – Published: 2024-03-28 00:31 – Updated: 2025-09-03 15:16RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.
PoC
async function exploit() {
const domainsuffix = require(\"domain-suffix\");
// Crafting a string that will cause excessive backtracking
const maliciousInput = \"a.\".repeat(10000) + \"b\"; // This will create a long sequence of \"a.\" followed by \"b\"
const result = await domainsuffix.domainSuffix.parse(maliciousInput);
}
await exploit();
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "domain-suffix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25354"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T18:02:23Z",
"nvd_published_at": "2024-03-27T22:15:10Z",
"severity": "HIGH"
},
"details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n const domainsuffix = require(\\\"domain-suffix\\\");\n // Crafting a string that will cause excessive backtracking\n const maliciousInput = \\\"a.\\\".repeat(10000) + \\\"b\\\"; // This will create a long sequence of \\\"a.\\\" followed by \\\"b\\\"\n const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\nawait exploit();\n```",
"id": "GHSA-cqfh-c4c5-c2hg",
"modified": "2025-09-03T15:16:09Z",
"published": "2024-03-28T00:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25354"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/c3b11b4058b8e2bc54717408d451fb79"
},
{
"type": "PACKAGE",
"url": "https://github.com/ikrong/domain-suffix"
},
{
"type": "WEB",
"url": "https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "domain-suffix RegEx Denial of Service"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.