CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-QMPF-C66X-M579
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-26 21:30HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
{
"affected": [],
"aliases": [
"CVE-2020-26307"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-26T21:15:13Z",
"severity": "HIGH"
},
"details": "HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
"id": "GHSA-qmpf-c66x-m579",
"modified": "2024-10-26T21:30:46Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26307"
},
{
"type": "WEB",
"url": "https://github.com/kates/html2markdown/issues/13"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-301-redos-HTML2Markdown"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-QQ3J-4F4F-9583
Vulnerability from github – Published: 2025-05-19 12:30 – Updated: 2025-09-25 21:06A Regular Expression Denial of Service (ReDoS) exists in the preprocess_string() function of the transformers.testing_utils module. In versions before 4.50.0, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to preprocess_string() (or code paths that call it) can force excessive CPU usage and degrade availability.
Fix: released in 4.50.0, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])
- Affected:
< 4.50.0 - Patched:
4.50.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.50.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2099"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-19T21:53:36Z",
"nvd_published_at": "2025-05-19T12:15:19Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions **before 4.50.0**, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to `preprocess_string()` (or code paths that call it) can force excessive CPU usage and degrade availability.\n\n**Fix:** released in **4.50.0**, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1])\n\n* **Affected:** `\u003c 4.50.0`\n* **Patched:** `4.50.0`",
"id": "GHSA-qq3j-4f4f-9583",
"modified": "2025-09-25T21:06:38Z",
"published": "2025-05-19T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2099"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/pull/36648"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Hugging Face Transformers Regular Expression Denial of Service"
}
GHSA-QRPW-GJVH-X5GM
Vulnerability from github – Published: 2026-05-13 15:30 – Updated: 2026-06-09 02:01Impact
Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the find field in combination with the use_regex flag.
Patches
A general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.
Workarounds
No known workaround has been identified at this time.
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a2"
},
{
"fixed": "3.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "nautobot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.33"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44796"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T15:30:53Z",
"nvd_published_at": "2026-05-28T18:16:33Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nNautobot UI object-bulk-rename endpoints (for example, `/dcim/interfaces/rename/`) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the `find` field in combination with the `use_regex` flag.\n\n### Patches\n\nA general-purpose timeout has been added to these endpoints in Nautobot v2.4.33 and v3.1.2, which ensures that the request will fail early with an appropriate message if regular expression evaluation takes more than a short period of time, instead of continuing to execute for an indefinite duration.\n\n### Workarounds\n\nNo known workaround has been identified at this time.\n\n### References\n\n- 2.4.33 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee\"\u003epatch\u003c/a\u003e)\n- 3.1.2 (\u003ca href=\"https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd\"\u003epatch\u003c/a\u003e)",
"id": "GHSA-qrpw-gjvh-x5gm",
"modified": "2026-06-09T02:01:07Z",
"published": "2026-05-13T15:30:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/security/advisories/GHSA-qrpw-gjvh-x5gm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44796"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/5a30d0916953afbeedd24a784709e762cc3879cd"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/commit/c2b766966d814a7141f62c7bc90c85fefb7892ee"
},
{
"type": "PACKAGE",
"url": "https://github.com/nautobot/nautobot"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v2.4.33"
},
{
"type": "WEB",
"url": "https://github.com/nautobot/nautobot/releases/tag/v3.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)"
}
GHSA-QRRR-VQV8-9HCW
Vulnerability from github – Published: 2023-09-01 12:30 – Updated: 2024-04-04 07:21An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
{
"affected": [],
"aliases": [
"CVE-2023-3210"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-01T11:15:42Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.",
"id": "GHSA-qrrr-vqv8-9hcw",
"modified": "2024-04-04T07:21:21Z",
"published": "2023-09-01T12:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3210"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2011474"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/415074"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QRW5-5H28-6CMG
Vulnerability from github – Published: 2022-10-16 12:00 – Updated: 2024-09-20 15:34In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.0"
},
{
"fixed": "4.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Django"
},
"ranges": [
{
"events": [
{
"introduced": "4.1"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41323"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-18T17:10:24Z",
"nvd_published_at": "2022-10-16T06:15:00Z",
"severity": "HIGH"
},
"details": "In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. ",
"id": "GHSA-qrw5-5h28-6cmg",
"modified": "2024-09-20T15:34:48Z",
"published": "2022-10-16T12:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41323"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/23f0093125ac2e553da6c1b2f9988eb6a3dd2ea1"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/5b6b257fa7ec37ff27965358800c67e2dd11c924"
},
{
"type": "WEB",
"url": "https://github.com/django/django/commit/9d656ea51d9ea7105c0c0785783ac29d426a7d25"
},
{
"type": "WEB",
"url": "https://docs.djangoproject.com/en/4.0/releases/security"
},
{
"type": "PACKAGE",
"url": "https://github.com/django/django"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2022-304.yaml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!forum/django-announce"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKYVMMR7RPM6AHJ2SBVM2LO6D3NGFY7B"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HWY6DQWRVBALV73BPUVBXC3QIYUM24IK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LTZVAKU5ALQWOKFTPISE257VCVIYGFQI"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZS4G6NSZWPTVXMMZHJOJVQEPL3QTO77"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJB6FUBBLVKKG655UMTLQNN6UQ6EDLSP"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221124-0001"
},
{
"type": "WEB",
"url": "https://www.djangoproject.com/weblog/2022/oct/04/security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Django denial-of-service vulnerability in internationalized URLs"
}
GHSA-QV66-F876-VJVR
Vulnerability from github – Published: 2023-01-11 15:30 – Updated: 2023-01-19 16:35A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The name of the patch is 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "skeemas"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25074"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-11T21:52:46Z",
"nvd_published_at": "2023-01-11T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The name of the patch is 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003.",
"id": "GHSA-qv66-f876-vjvr",
"modified": "2023-01-19T16:35:20Z",
"published": "2023-01-11T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25074"
},
{
"type": "WEB",
"url": "https://github.com/Prestaul/skeemas/commit/65e94eda62dc8dc148ab3e59aa2ccc086ac448fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/Prestaul/skeemas"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.218003"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.218003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "skeemas Inefficient Regular Expression Complexity vulnerability"
}
GHSA-QW3F-W4PF-JH5F
Vulnerability from github – Published: 2022-06-01 00:00 – Updated: 2023-08-24 20:25We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tika:tika-core"
},
"ranges": [
{
"events": [
{
"introduced": "1.17"
},
{
"fixed": "1.28.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-30973"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-03T22:18:15Z",
"nvd_published_at": "2022-05-31T14:15:00Z",
"severity": "MODERATE"
},
"details": "We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.3.",
"id": "GHSA-qw3f-w4pf-jh5f",
"modified": "2023-08-24T20:25:40Z",
"published": "2022-06-01T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30973"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265"
},
{
"type": "WEB",
"url": "https://github.com/apache/tika/commit/e76302196ebcafb7b51fce37fbe8256e6c0fbc51"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rpjm-422r-95mh"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tika"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/gqvb5t4p7tmdpl0y5bdbf72pgxj04h7p"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220722-0004"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/05/31/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/06/27/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular expression denial of service in apache tika"
}
GHSA-QWMP-2CF2-G9G6
Vulnerability from github – Published: 2022-12-23 00:30 – Updated: 2024-11-19 19:04Python Packaging Authority (PyPA) Wheel is a reference implementation of the Python wheel packaging standard. Wheel 0.37.1 and earlier are vulnerable to a Regular Expression denial of service via attacker controlled input to the wheel cli. The vulnerable regex is used to verify the validity of Wheel file names. This has been patched in version 0.38.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wheel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.38.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-40898"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-26T19:42:25Z",
"nvd_published_at": "2022-12-23T00:15:00Z",
"severity": "HIGH"
},
"details": "Python Packaging Authority (PyPA) Wheel is a reference implementation of the Python wheel packaging standard. Wheel 0.37.1 and earlier are vulnerable to a Regular Expression denial of service via attacker controlled input to the wheel cli. The vulnerable regex is used to verify the validity of Wheel file names. This has been patched in version 0.38.1.",
"id": "GHSA-qwmp-2cf2-g9g6",
"modified": "2024-11-19T19:04:07Z",
"published": "2022-12-23T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40898"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/wheel/PYSEC-2022-43017.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/pypa/wheel"
},
{
"type": "WEB",
"url": "https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18"
},
{
"type": "WEB",
"url": "https://pypi.org/project/wheel"
},
{
"type": "WEB",
"url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages"
},
{
"type": "WEB",
"url": "https://pyup.io/vulnerabilities/CVE-2022-40898/51499"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)"
}
GHSA-QWQH-HM9M-P5HR
Vulnerability from github – Published: 2023-03-30 06:30 – Updated: 2025-11-03 22:30All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "angular"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26118"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-03T13:07:41Z",
"nvd_published_at": "2023-03-30T05:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the \u003cinput type=\"url\"\u003e element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.",
"id": "GHSA-qwqh-hm9m-p5hr",
"modified": "2025-11-03T22:30:13Z",
"published": "2023-03-30T06:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26118"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular.js"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQWJLE5WE33WNMA54XSJIDXBRK2KL3XJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UDKFLKJ6VZKL52AFVW2OVZRMJWHMW55K"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-5406326"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-5406328"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-5406327"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046"
},
{
"type": "WEB",
"url": "https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "angular vulnerable to regular expression denial of service via the \u003cinput type=\"url\"\u003e element"
}
GHSA-QXMR-QXH6-2CC9
Vulnerability from github – Published: 2021-12-07 22:01 – Updated: 2021-12-08 19:29Impact
Denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like a.a..
Before the patch, it can be reproduced in the console like this:
irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@"
processing time: 54.293660s
=> nil
To reproduce in the browser, fill in the "Customer Email" field with that fake email address during a guest checkout. Before that, you should open the browser dev tools and change the type attribute for that field from email to text. After entering a fake address and pressing the "Save & Continue" button, the browser will take a long term to perform the request before showing an error message for the invalid address. Eventually, making the email string even longer could lead to the exhaustion of server resources.
Patches
Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression.
There's an improbable chance that some orders in your system end up having associated an email address that is no longer valid. We've added a task to check precisely that:
bin/rails solidus:check_orders_with_invalid_email
The above will print information for every affected order if any.
Workarounds
If a prompt upgrade is not an option, please, add the following to config/application.rb:
config.after_initialize do
Spree::EmailValidator.send(:remove_const, :EMAIL_REGEXP)
Spree::EmailValidator::EMAIL_REGEXP = URI::MailTo::EMAIL_REGEXP
end
References
- https://en.wikipedia.org/wiki/ReDoS
- https://snyk.io/blog/redos-and-catastrophic-backtracking/
For more information
If you have any questions or comments about this advisory: * Open an issue or a discussion in Solidus. * Email us at security@solidus.io * Contact the core team on Slack
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "solidus_core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "solidus_core"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "solidus_core"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43805"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-07T20:58:37Z",
"nvd_published_at": "2021-12-07T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nDenial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order\u0027s email was subject to exponential backtracking through a fragment like `a.a.`.\n\nBefore the patch, it can be reproduced in the console like this:\n\n```ruby\nirb(main)\u003e Spree::EmailValidator::EMAIL_REGEXP.match \"a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@\"\nprocessing time: 54.293660s\n=\u003e nil\n```\n\nTo reproduce in the browser, fill in the \"Customer Email\" field with that fake email address during a guest checkout. Before that, you should open the browser dev tools and change the `type` attribute for that field from `email` to `text`. After entering a fake address and pressing the \"Save \u0026 Continue\" button, the browser will take a long term to perform the request before showing an error message for the invalid address. Eventually, making the email string even longer could lead to the exhaustion of server resources.\n\n\n### Patches\nVersions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression.\n\nThere\u0027s an improbable chance that some orders in your system end up having associated an email address that is no longer valid. We\u0027ve added a task to check precisely that:\n\n```bash\nbin/rails solidus:check_orders_with_invalid_email\n```\n\nThe above will print information for every affected order if any.\n\n### Workarounds\n\nIf a prompt upgrade is not an option, please, add the following to `config/application.rb`:\n\n```ruby\nconfig.after_initialize do\n Spree::EmailValidator.send(:remove_const, :EMAIL_REGEXP)\n Spree::EmailValidator::EMAIL_REGEXP = URI::MailTo::EMAIL_REGEXP\nend\n```\n\n### References\n\n- https://en.wikipedia.org/wiki/ReDoS\n- https://snyk.io/blog/redos-and-catastrophic-backtracking/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an [issue](https://github.com/solidusio/solidus/issues) or a [discussion](https://github.com/solidusio/solidus/discussions) in Solidus.\n* Email us at [security@solidus.io](mailto:security@soliidus.io)\n* Contact the core team on [Slack](http://slack.solidus.io/)\n",
"id": "GHSA-qxmr-qxh6-2cc9",
"modified": "2021-12-08T19:29:13Z",
"published": "2021-12-07T22:01:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/solidusio/solidus/security/advisories/GHSA-qxmr-qxh6-2cc9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43805"
},
{
"type": "WEB",
"url": "https://github.com/solidusio/solidus/commit/6be174c955fad84017ca67589c676526bc5ade71"
},
{
"type": "WEB",
"url": "https://github.com/solidusio/solidus/commit/9867153e01e3c3b898cdbcedd7b43375ea922401"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_core/CVE-2021-43805.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/solidusio/solidus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ReDos vulnerability on guest checkout email validation"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.