Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-CR84-XVW4-QX3C

Vulnerability from github – Published: 2022-10-25 22:27 – Updated: 2022-10-31 16:02
VLAI
Summary
Inefficient Regular Expression Complexity in shescape
Details

Impact

This impacts users that use shescape to escape arguments:

  • for the Unix shell Bash, or any not-officially-supported Unix shell;
  • using the escape or escapeAll functions with the interpolation option set to true.

An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:

import * as shescape from "shescape";

/* 1. Prerequisites */
const options = {
  interpolation: true,
  // and
  shell: "/bin/bash",
  // or
  shell: "some-not-officially-supported-shell",
  // or
  shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};

/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking

/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);

Patches

This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.

Workarounds

Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.

References

For more information

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "shescape"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.10"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-25T22:27:32Z",
    "nvd_published_at": "2022-10-27T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis impacts users that use shescape to escape arguments:\n\n- for the Unix shell Bash, or any not-officially-supported Unix shell;\n- using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`.\n\nAn attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:\n\n```javascript\nimport * as shescape from \"shescape\";\n\n/* 1. Prerequisites */\nconst options = {\n  interpolation: true,\n  // and\n  shell: \"/bin/bash\",\n  // or\n  shell: \"some-not-officially-supported-shell\",\n  // or\n  shell: undefined, // Only if the system\u0027s default shell is bash or an unsupported shell.\n};\n\n/* 2. Attack */\nlet userInput = \u0027{,\u0027.repeat(150_000); // polynomial backtracking\n\n/* 3. Usage */\nshescape.escape(userInput, options);\n// or\nshescape.escapeAll([userInput], options);\n```\n\n### Patches\n\nThis bug has been patched in [v1.6.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1) which you can upgrade to now. No further changes required.\n\n### Workarounds\n\nAlternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.\n\n### References\n\n- Shescape commit [552e8ea](https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9)\n- Shescape Release [v1.6.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1)\n\n### For more information\n\n- Comment on commit [552e8ea](https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9)\n- Open an issue at [https://github.com/ericcornelissen/shescape/issues](https://github.com/ericcornelissen/shescape/issues?q=is%3Aissue+is%3Aopen) (New issue \u003e Question \u003e Get started)\n",
  "id": "GHSA-cr84-xvw4-qx3c",
  "modified": "2022-10-31T16:02:55Z",
  "published": "2022-10-25T22:27:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-cr84-xvw4-qx3c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25918"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ericcornelissen/shescape"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in shescape "
}

GHSA-CRJR-9RC5-GHW8

Vulnerability from github – Published: 2022-04-11 21:18 – Updated: 2023-07-06 16:02
VLAI
Summary
Nokogiri Inefficient Regular Expression Complexity
Details

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ななおく).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-11T21:18:06Z",
    "nvd_published_at": "2022-04-11T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nNokogiri `\u003c v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.13.4`.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n[CWE-1333](https://cwe.mitre.org/data/definitions/1333.html) Inefficient Regular Expression Complexity\n\n\n## Credit\n\nThis vulnerability was reported by HackerOne user ooooooo_q (\u306a\u306a\u304a\u304f).\n",
  "id": "GHSA-crjr-9rc5-ghw8",
  "modified": "2023-07-06T16:02:37Z",
  "published": "2022-04-11T21:18:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email\u0026utm_source=footer"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-29"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT213532"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2022/Dec/23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri Inefficient Regular Expression Complexity"
}

GHSA-CW56-J3FM-7W57

Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2023-07-11 16:35
VLAI
Summary
Regular expression denial of service in Apache ShenYu
Details

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shenyu:shenyu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.shenyu:shenyu-bootstrap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26650"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T19:36:33Z",
    "nvd_published_at": "2022-05-17T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.",
  "id": "GHSA-cw56-j3fm-7w57",
  "modified": "2023-07-11T16:35:32Z",
  "published": "2022-05-18T00:00:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26650"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/incubator-shenyu"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in Apache ShenYu"
}

GHSA-F45G-68Q3-5W8X

Vulnerability from github – Published: 2026-03-10 21:04 – Updated: 2026-03-10 22:55
VLAI
Summary
Elysia has a string URL format ReDoS
Details

Impact

t.String({ format: 'url' }) is vulnerable to redos

Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly

'http://a'.repeat(n)

Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsed_ms | | --- | --- | | 1024 | 33.993 | | 2048 | 134.357 | | 4096 | 537.608 | | 8192 | 2155.842 | | 16384 | 8618.457 | | 32768 | 34604.139 |

Patches

Patched by 1.4.26, please kindly update elysia to >= 1.4.26

Here's how long it takes after the patch | n repeat | elapsed_ms | | --- | --- | | 1024 | 0.194 | | 2048 | 0.274 | | 4096 | 0.455 | | 8192 | 0.831 | | 16384 | 1.632 | | 32768 | 3.052 |

Workarounds

  1. It's recommended to always limit URL format to a reasonable length
t.String({
    format: 'url',
    maxLength: 288
})
  1. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
import { FormatRegistry } from '@sinclair/typebox'

FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
    /^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
        value
    )
)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "elysia"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30837"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T21:04:25Z",
    "nvd_published_at": "2026-03-10T21:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n`t.String({ format: \u0027url\u0027 })` is vulnerable to redos\n\nRepeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly\n```js\n\u0027http://a\u0027.repeat(n)\n```\n\nHere\u0027s a table demonstrating how long it takes to process repeated partial url format\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 33.993 |\n| 2048 | 134.357 |\n| 4096 | 537.608 |\n| 8192 | 2155.842 |\n| 16384 | 8618.457 |\n| 32768 | 34604.139 |\n\n### Patches\nPatched by 1.4.26, please kindly update `elysia` to \u003e= 1.4.26 \n\nHere\u0027s how long it takes after the patch\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 0.194 |\n| 2048 | 0.274 |\n| 4096 | 0.455 |\n| 8192 | 0.831 |\n| 16384 | 1.632 |\n| 32768 | 3.052 |\n\n### Workarounds\n1. It\u0027s recommended to always limit URL format to a reasonable length\n```ts\nt.String({\n\tformat: \u0027url\u0027,\n\tmaxLength: 288\n})\n```\n\n2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase\n```js\nimport { FormatRegistry } from \u0027@sinclair/typebox\u0027\n\nFormatRegistry.Delete(\u0027url\u0027)\nFormatRegistry.Set(\u0027url\u0027, (value) =\u003e\n\t/^(?:https?|ftp):\\/\\/(?:[^\\s:@]+(?::[^\\s@]*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3})(?!(?:169\\.254|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2\\d|3[0-1])(?:\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3])(?:\\.(?:1?\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\d\\d|2[0-4]\\d|25[0-4]))|(?:(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)(?:\\.(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)*(?:\\.(?:[a-z\\u{00a1}-\\u{ffff}]{2,})))(?::\\d{2,5})?(?:\\/[^\\s]*)?$/iu.test(\n\t\tvalue\n\t)\n)\n```",
  "id": "GHSA-f45g-68q3-5w8x",
  "modified": "2026-03-10T22:55:50Z",
  "published": "2026-03-10T21:04:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30837"
    },
    {
      "type": "WEB",
      "url": "https://github.com/EdamAme-x/elysia-poc-redos"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/elysiajs/elysia"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Elysia has a string URL format ReDoS"
}

GHSA-F522-FFG8-J8R6

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2025-10-17 17:50
VLAI
Summary
Regular Expression Denial of Service in is-my-json-valid
Details

Version of is-my-json-valid before 2.12.4 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.

Recommendation

Update to version 2.12.4 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "is-my-json-valid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2016-2537"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:33:36Z",
    "nvd_published_at": "2016-02-23T05:59:01Z",
    "severity": "HIGH"
  },
  "details": "Version of `is-my-json-valid` before 2.12.4 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.\n\n\n## Recommendation\n\nUpdate to version 2.12.4 or later.",
  "id": "GHSA-f522-ffg8-j8r6",
  "modified": "2025-10-17T17:50:27Z",
  "published": "2017-10-24T18:33:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2537"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/4850"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mafintosh/is-my-json-valid/pull/159"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mafintosh/is-my-json-valid/commit/b3051b277f7caa08cd2edc6f74f50aeda65d2976"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mafintosh/is-my-json-valid/commit/eca4beb21e61877d76fdf6bea771f72f39544d9b"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/317548"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-f522-ffg8-j8r6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mafintosh/is-my-json-valid"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/572"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/76"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in is-my-json-valid"
}

GHSA-F5XG-CFPJ-2MW6

Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 23:08
VLAI
Summary
taro-css-to-react-native Regular Expression Denial of Service vulnerability
Details

A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "taro-css-to-react-native"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T23:08:45Z",
    "nvd_published_at": "2025-06-09T21:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.",
  "id": "GHSA-f5xg-cfpj-2mw6",
  "modified": "2025-06-09T23:08:45Z",
  "published": "2025-06-09T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NervJS/taro/pull/17619"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NervJS/taro/commit/c2e321a8b6fc873427c466c69f41ed0b5e8814bf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NervJS/taro"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NervJS/taro/releases/tag/v4.1.2"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.311668"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.311668"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.585796"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "taro-css-to-react-native Regular Expression Denial of Service vulnerability"
}

GHSA-F8Q6-P94X-37V3

Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2024-02-14 18:15
VLAI
Summary
minimatch ReDoS vulnerability
Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "minimatch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-3517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-20T18:21:03Z",
    "nvd_published_at": "2022-10-17T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.",
  "id": "GHSA-f8q6-p94x-37v3",
  "modified": "2024-02-14T18:15:16Z",
  "published": "2022-10-18T12:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grafana/grafana-image-renderer/issues/329"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nodejs/node/issues/42510"
    },
    {
      "type": "WEB",
      "url": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/isaacs/minimatch"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "minimatch ReDoS vulnerability"
}

GHSA-F8WW-P9XJ-CM59

Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-18 21:30
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-12T04:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.",
  "id": "GHSA-f8ww-p9xj-cm59",
  "modified": "2023-01-18T21:30:21Z",
  "published": "2023-01-12T06:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4131"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1772063"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4131.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/383598"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F9V8-6C5P-2WHH

Vulnerability from github – Published: 2023-06-07 18:30 – Updated: 2024-04-04 04:39
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.",
  "id": "GHSA-f9v8-6c5p-2whh",
  "modified": "2024-04-04T04:39:39Z",
  "published": "2023-06-07T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2199"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1943819"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2199.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/408272"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FFMH-X56J-9RC3

Vulnerability from github – Published: 2022-07-05 22:56 – Updated: 2022-07-22 16:34
VLAI
Summary
jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method
Details

Summary

Incomplete fix of CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jquery-validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.19.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T22:56:58Z",
    "nvd_published_at": "2022-07-14T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Summary\n\nIncomplete fix of CVE-2021-43306: An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method.",
  "id": "GHSA-ffmh-x56j-9rc3",
  "modified": "2022-07-22T16:34:21Z",
  "published": "2022-07-05T22:56:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31147"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jquery-validation/jquery-validation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.