CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-P9WX-2529-FP83
Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2025-05-27 15:03Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "marked"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25110"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-27T15:03:47Z",
"nvd_published_at": "2025-05-23T15:15:20Z",
"severity": "MODERATE"
},
"details": "Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.",
"id": "GHSA-p9wx-2529-fp83",
"modified": "2025-05-27T15:03:47Z",
"published": "2025-05-23T15:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25110"
},
{
"type": "WEB",
"url": "https://github.com/markedjs/marked/issues/1070"
},
{
"type": "WEB",
"url": "https://github.com/markedjs/marked/pull/1083"
},
{
"type": "WEB",
"url": "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485"
},
{
"type": "WEB",
"url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110"
},
{
"type": "PACKAGE",
"url": "https://github.com/markedjs/marked"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Marked allows Regular Expression Denial of Service (ReDoS) attacks"
}
GHSA-PFQ8-RQ6V-VF5M
Vulnerability from github – Published: 2022-10-31 19:00 – Updated: 2025-06-11 17:34A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "html-minifier"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "4.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37620"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:06:37Z",
"nvd_published_at": "2022-10-31T12:15:00Z",
"severity": "HIGH"
},
"details": "A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.",
"id": "GHSA-pfq8-rq6v-vf5m",
"modified": "2025-06-11T17:34:37Z",
"published": "2022-10-31T19:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37620"
},
{
"type": "WEB",
"url": "https://github.com/kangax/html-minifier/issues/1135"
},
{
"type": "PACKAGE",
"url": "https://github.com/kangax/html-minifier"
},
{
"type": "WEB",
"url": "https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338"
},
{
"type": "WEB",
"url": "https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L294"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "kangax html-minifier REDoS vulnerability"
}
GHSA-PFRM-4RJW-G9Q5
Vulnerability from github – Published: 2023-01-02 09:31 – Updated: 2023-01-10 16:13A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the file lib/naturalSort.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 0.12.8 can address this issue. The name of the patch is 9cac4c298ee92c1695b0695951f1488884a7ca73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217180.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "string-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4299"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-04T14:27:35Z",
"nvd_published_at": "2023-01-02T08:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the file lib/naturalSort.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 0.12.8 can address this issue. The name of the patch is 9cac4c298ee92c1695b0695951f1488884a7ca73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217180.",
"id": "GHSA-pfrm-4rjw-g9q5",
"modified": "2023-01-10T16:13:19Z",
"published": "2023-01-02T09:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4299"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/string-kit/commit/9cac4c298ee92c1695b0695951f1488884a7ca73"
},
{
"type": "PACKAGE",
"url": "https://github.com/cronvel/string-kit"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/string-kit/releases/tag/v0.12.8"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217180"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "string-kit Inefficient Regular Expression Complexity vulnerability"
}
GHSA-PJF2-268R-G6X9
Vulnerability from github – Published: 2024-10-11 21:31 – Updated: 2024-10-17 21:31Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.
{
"affected": [],
"aliases": [
"CVE-2024-48938"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-11T21:15:07Z",
"severity": "HIGH"
},
"details": "Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.",
"id": "GHSA-pjf2-268r-g6x9",
"modified": "2024-10-17T21:31:30Z",
"published": "2024-10-11T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48938"
},
{
"type": "WEB",
"url": "https://www.znuny.com"
},
{
"type": "WEB",
"url": "https://www.znuny.org/en/advisories"
},
{
"type": "WEB",
"url": "https://www.znuny.org/en/advisories/zsa-2024-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PJWM-CR36-MWV3
Vulnerability from github – Published: 2024-11-14 22:44 – Updated: 2024-11-14 22:44ReDoS in Giskard text perturbation detector
A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation times, potentially leading to denial of service.
Details
The vulnerability affects Giskard's punctuation removal transformation used in the text perturbation detection. A regex used to detect URLs and links was vulnerable to catastrophic backtracking that could be triggered by specific patterns in the text.
Affected version
Giskard versions prior to 2.15.5 are affected. Users should upgrade to version 2.15.5 or later, which includes a fix for this vulnerability.
Impact
This vulnerability can cause extended computation times or crashes in Giskard when processing text containing certain patterns.
Credit
This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.15.4"
},
"package": {
"ecosystem": "PyPI",
"name": "giskard"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.15.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52524"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-14T22:44:36Z",
"nvd_published_at": "2024-11-14T18:15:26Z",
"severity": "MODERATE"
},
"details": "# ReDoS in Giskard text perturbation detector\n\nA Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the [GitHub Security Lab](https://securitylab.github.com) team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could trigger exponential regex evaluation times, potentially leading to denial of service.\n\n## Details\n\nThe vulnerability affects Giskard\u0027s punctuation removal transformation used in the text perturbation detection. A regex used to detect URLs and links was vulnerable to catastrophic backtracking that could be triggered by specific patterns in the text.\n\n## Affected version\n\nGiskard versions prior to 2.15.5 are affected. Users should upgrade to version 2.15.5 or later, which includes a fix for this vulnerability.\n\n## Impact\n\nThis vulnerability can cause extended computation times or crashes in Giskard when processing text containing certain patterns.\n\n## Credit\n\nThis issue was discovered and reported by GHSL team member [@kevinbackhouse (Kevin Backhouse)](https://github.com/kevinbackhouse).",
"id": "GHSA-pjwm-cr36-mwv3",
"modified": "2024-11-14T22:44:36Z",
"published": "2024-11-14T22:44:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Giskard-AI/giskard/security/advisories/GHSA-pjwm-cr36-mwv3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52524"
},
{
"type": "WEB",
"url": "https://github.com/Giskard-AI/giskard/commit/48ce81f5c626171767188d6f0669498fb613b4d3"
},
{
"type": "PACKAGE",
"url": "https://github.com/Giskard-AI/giskard"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear",
"type": "CVSS_V4"
}
],
"summary": "ReDoS in giskard\u0027s transformation.py (GHSL-2024-324)"
}
GHSA-PMVV-57RG-5G86
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-11-13 23:24CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "commonregex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26305"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-28T14:44:58Z",
"nvd_published_at": "2024-10-26T21:15:13Z",
"severity": "MODERATE"
},
"details": "CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
"id": "GHSA-pmvv-57rg-5g86",
"modified": "2024-11-13T23:24:33Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26305"
},
{
"type": "WEB",
"url": "https://github.com/talyssonoc/CommonRegexJS/issues/4"
},
{
"type": "PACKAGE",
"url": "https://github.com/talyssonoc/CommonRegexJS"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-291-redos-CommonRegexJS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
"type": "CVSS_V4"
}
],
"summary": "CommonRegexJS Regular Expression Denial of Service vulnerability"
}
GHSA-PPJ4-34RQ-V8J9
Vulnerability from github – Published: 2021-10-25 19:43 – Updated: 2024-05-20 20:41GJSON is a Go package that provides a fast and simple way to get values from a json document. GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/tidwall/gjson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-42836"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-25T18:27:20Z",
"nvd_published_at": "2021-10-22T18:15:00Z",
"severity": "HIGH"
},
"details": "GJSON is a Go package that provides a fast and simple way to get values from a json document. GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.",
"id": "GHSA-ppj4-34rq-v8j9",
"modified": "2024-05-20T20:41:04Z",
"published": "2021-10-25T19:43:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42836"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/236"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/issues/237"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96"
},
{
"type": "PACKAGE",
"url": "https://github.com/tidwall/gjson"
},
{
"type": "WEB",
"url": "https://github.com/tidwall/gjson/compare/v1.9.2...v1.9.3"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0265"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "github.com/tidwall/gjson Vulnerable to REDoS attack"
}
GHSA-PQ2W-3M7X-QX76
Vulnerability from github – Published: 2026-01-13 00:30 – Updated: 2026-01-21 18:30LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.
{
"affected": [],
"aliases": [
"CVE-2024-58340"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-12T23:15:51Z",
"severity": "HIGH"
},
"details": "LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service (ReDoS) vulnerability in the MRKLOutputParser.parse() method (libs/langchain/langchain/agents/mrkl/output_parser.py). The parser applies a backtracking-prone regular expression when extracting tool actions from model output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse()) can trigger excessive CPU consumption by providing a crafted payload, causing significant parsing delays and a denial-of-service condition.",
"id": "GHSA-pq2w-3m7x-qx76",
"modified": "2026-01-21T18:30:27Z",
"published": "2026-01-13T00:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58340"
},
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/e7ece02c-d4bb-4166-8e08-6baf4f8845bb"
},
{
"type": "WEB",
"url": "https://www.langchain.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/langchain-mrkloutputparser-redos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-PQWW-M5HF-XXFH
Vulnerability from github – Published: 2023-06-06 18:30 – Updated: 2024-04-04 04:36An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.
{
"affected": [],
"aliases": [
"CVE-2023-2132"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T17:15:14Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.",
"id": "GHSA-pqww-m5hf-xxfh",
"modified": "2024-04-04T04:36:15Z",
"published": "2023-06-06T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2132"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1934711"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2132.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/407586"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PRR3-C3M5-P7Q2
Vulnerability from github – Published: 2023-11-30 19:51 – Updated: 2023-12-14 22:02Impact
@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.
Patches
The issue has been resolved in 4.3.2.
Workarounds
None
References
N/A
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@adobe/css-tools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-48631"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-30T19:51:29Z",
"nvd_published_at": "2023-12-14T13:15:54Z",
"severity": "MODERATE"
},
"details": "### Impact\n@adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.\n\n### Patches\nThe issue has been resolved in 4.3.2.\n\n### Workarounds\nNone\n\n### References\nN/A\n",
"id": "GHSA-prr3-c3m5-p7q2",
"modified": "2023-12-14T22:02:39Z",
"published": "2023-11-30T19:51:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48631"
},
{
"type": "WEB",
"url": "https://github.com/adobe/css-tools/issues/211"
},
{
"type": "WEB",
"url": "https://github.com/adobe/css-tools/pull/249"
},
{
"type": "WEB",
"url": "https://github.com/adobe/css-tools/commit/472bef91bde9caab305f3f36231ad0c253581b43"
},
{
"type": "PACKAGE",
"url": "https://github.com/adobe/css-tools"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.