Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-P9WX-2529-FP83

Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2025-05-27 15:03
VLAI
Summary
Marked allows Regular Expression Denial of Service (ReDoS) attacks
Details

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "marked"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-27T15:03:47Z",
    "nvd_published_at": "2025-05-23T15:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.",
  "id": "GHSA-p9wx-2529-fp83",
  "modified": "2025-05-27T15:03:47Z",
  "published": "2025-05-23T15:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25110"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/issues/1070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/pull/1083"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markedjs/marked"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Marked allows Regular Expression Denial of Service (ReDoS) attacks"
}

GHSA-PFQ8-RQ6V-VF5M

Vulnerability from github – Published: 2022-10-31 19:00 – Updated: 2025-06-11 17:34
VLAI
Summary
kangax html-minifier REDoS vulnerability
Details

A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "html-minifier"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37620"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-22T23:06:37Z",
    "nvd_published_at": "2022-10-31T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.",
  "id": "GHSA-pfq8-rq6v-vf5m",
  "modified": "2025-06-11T17:34:37Z",
  "published": "2022-10-31T19:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37620"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kangax/html-minifier/issues/1135"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kangax/html-minifier"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L294"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "kangax html-minifier REDoS vulnerability"
}

GHSA-PFRM-4RJW-G9Q5

Vulnerability from github – Published: 2023-01-02 09:31 – Updated: 2023-01-10 16:13
VLAI
Summary
string-kit Inefficient Regular Expression Complexity vulnerability
Details

A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the file lib/naturalSort.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 0.12.8 can address this issue. The name of the patch is 9cac4c298ee92c1695b0695951f1488884a7ca73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217180.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "string-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4299"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-04T14:27:35Z",
    "nvd_published_at": "2023-01-02T08:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the file lib/naturalSort.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 0.12.8 can address this issue. The name of the patch is 9cac4c298ee92c1695b0695951f1488884a7ca73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217180.",
  "id": "GHSA-pfrm-4rjw-g9q5",
  "modified": "2023-01-10T16:13:19Z",
  "published": "2023-01-02T09:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4299"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/string-kit/commit/9cac4c298ee92c1695b0695951f1488884a7ca73"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cronvel/string-kit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/string-kit/releases/tag/v0.12.8"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217180"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217180"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "string-kit Inefficient Regular Expression Complexity vulnerability"
}

GHSA-PJF2-268R-G6X9

Vulnerability from github – Published: 2024-10-11 21:31 – Updated: 2024-10-17 21:31
VLAI
Details

Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-48938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-11T21:15:07Z",
    "severity": "HIGH"
  },
  "details": "Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.",
  "id": "GHSA-pjf2-268r-g6x9",
  "modified": "2024-10-17T21:31:30Z",
  "published": "2024-10-11T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48938"
    },
    {
      "type": "WEB",
      "url": "https://www.znuny.com"
    },
    {
      "type": "WEB",
      "url": "https://www.znuny.org/en/advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.znuny.org/en/advisories/zsa-2024-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PJWM-CR36-MWV3

Vulnerability from github – Published: 2024-11-14 22:44 – Updated: 2024-11-14 22:44
VLAI
Summary
ReDoS in giskard's transformation.py (GHSL-2024-324)
Details

ReDoS in Giskard text perturbation detector

A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation times, potentially leading to denial of service.

Details

The vulnerability affects Giskard's punctuation removal transformation used in the text perturbation detection. A regex used to detect URLs and links was vulnerable to catastrophic backtracking that could be triggered by specific patterns in the text.

Affected version

Giskard versions prior to 2.15.5 are affected. Users should upgrade to version 2.15.5 or later, which includes a fix for this vulnerability.

Impact

This vulnerability can cause extended computation times or crashes in Giskard when processing text containing certain patterns.

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.15.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "giskard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.15.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-14T22:44:36Z",
    "nvd_published_at": "2024-11-14T18:15:26Z",
    "severity": "MODERATE"
  },
  "details": "# ReDoS in Giskard text perturbation detector\n\nA Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the [GitHub Security Lab](https://securitylab.github.com) team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation times, potentially leading to denial of service.\n\n## Details\n\nThe vulnerability affects Giskard\u0027s punctuation removal transformation used in the text perturbation detection. A regex used to detect URLs and links was vulnerable to catastrophic backtracking that could be triggered by specific patterns in the text.\n\n## Affected version\n\nGiskard versions prior to 2.15.5 are affected. Users should upgrade to version 2.15.5 or later, which includes a fix for this vulnerability.\n\n## Impact\n\nThis vulnerability can cause extended computation times or crashes in Giskard when processing text containing certain patterns.\n\n## Credit\n\nThis issue was discovered and reported by GHSL team member [@kevinbackhouse (Kevin Backhouse)](https://github.com/kevinbackhouse).",
  "id": "GHSA-pjwm-cr36-mwv3",
  "modified": "2024-11-14T22:44:36Z",
  "published": "2024-11-14T22:44:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Giskard-AI/giskard/security/advisories/GHSA-pjwm-cr36-mwv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Giskard-AI/giskard/commit/48ce81f5c626171767188d6f0669498fb613b4d3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Giskard-AI/giskard"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ReDoS in giskard\u0027s transformation.py (GHSL-2024-324)"
}

GHSA-PMVV-57RG-5G86

Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-11-13 23:24
VLAI
Summary
CommonRegexJS Regular Expression Denial of Service vulnerability
Details

CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "commonregex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-28T14:44:58Z",
    "nvd_published_at": "2024-10-26T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
  "id": "GHSA-pmvv-57rg-5g86",
  "modified": "2024-11-13T23:24:33Z",
  "published": "2024-10-26T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/talyssonoc/CommonRegexJS/issues/4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/talyssonoc/CommonRegexJS"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-291-redos-CommonRegexJS"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CommonRegexJS Regular Expression Denial of Service vulnerability"
}

GHSA-PPJ4-34RQ-V8J9

Vulnerability from github – Published: 2021-10-25 19:43 – Updated: 2024-05-20 20:41
VLAI
Summary
github.com/tidwall/gjson Vulnerable to REDoS attack
Details

GJSON is a Go package that provides a fast and simple way to get values from a json document. GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tidwall/gjson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-42836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-10-25T18:27:20Z",
    "nvd_published_at": "2021-10-22T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "GJSON is a Go package that provides a fast and simple way to get values from a json document. GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.",
  "id": "GHSA-ppj4-34rq-v8j9",
  "modified": "2024-05-20T20:41:04Z",
  "published": "2021-10-25T19:43:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/issues/236"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/issues/237"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tidwall/gjson"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2021-0265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "github.com/tidwall/gjson Vulnerable to REDoS attack"
}

GHSA-PQ2W-3M7X-QX76

Vulnerability from github – Published: 2026-01-13 00:30 – Updated: 2026-01-21 18:30
VLAI
Details

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58340"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-12T23:15:51Z",
    "severity": "HIGH"
  },
  "details": "LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.",
  "id": "GHSA-pq2w-3m7x-qx76",
  "modified": "2026-01-21T18:30:27Z",
  "published": "2026-01-13T00:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58340"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb"
    },
    {
      "type": "WEB",
      "url": "https://www.langchain.com"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PQWW-M5HF-XXFH

Vulnerability from github – Published: 2023-06-06 18:30 – Updated: 2024-04-04 04:36
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-06T17:15:14Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.",
  "id": "GHSA-pqww-m5hf-xxfh",
  "modified": "2024-04-04T04:36:15Z",
  "published": "2023-06-06T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2132"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1934711"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2132.json"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/407586"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRR3-C3M5-P7Q2

Vulnerability from github – Published: 2023-11-30 19:51 – Updated: 2023-12-14 22:02
VLAI
Summary
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
Details

Impact

@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

Patches

The issue has been resolved in 4.3.2.

Workarounds

None

References

N/A

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@adobe/css-tools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-48631"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-30T19:51:29Z",
    "nvd_published_at": "2023-12-14T13:15:54Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.\n\n### Patches\nThe issue has been resolved in 4.3.2.\n\n### Workarounds\nNone\n\n### References\nN/A\n",
  "id": "GHSA-prr3-c3m5-p7q2",
  "modified": "2023-12-14T22:02:39Z",
  "published": "2023-11-30T19:51:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adobe/css-tools/issues/211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adobe/css-tools/pull/249"
    },
    {
      "type": "WEB",
      "url": "https://github.com/adobe/css-tools/commit/472bef91bde9caab305f3f36231ad0c253581b43"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adobe/css-tools"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.