Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-WRXC-QW43-C96X

Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2025-03-31 15:30
VLAI
Details

Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-31T14:15:18Z",
    "severity": "HIGH"
  },
  "details": "Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package.",
  "id": "GHSA-wrxc-qw43-c96x",
  "modified": "2025-03-31T15:30:48Z",
  "published": "2025-03-31T15:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0881"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2006397"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWHV-WXV9-RPGW

Vulnerability from github – Published: 2024-10-15 23:35 – Updated: 2024-12-02 19:53
VLAI
Summary
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
Details

There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.

Impact

Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2

Credits

Thanks to ooooooo_q for the report!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actiontext"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actiontext"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actiontext"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actiontext"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-15T23:35:36Z",
    "nvd_published_at": "2024-10-16T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.\n\nImpact\n------\n\nCarefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2\n\nCredits\n-------\n\nThanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!",
  "id": "GHSA-wwhv-wxv9-rpgw",
  "modified": "2024-12-02T19:53:42Z",
  "published": "2024-10-15T23:35:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text"
}

GHSA-WWR9-4GMR-XVQ9

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 19:44
VLAI
Summary
H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint
Details

A vulnerability in the /3/Parse endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "h2o"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.30.0.7"
            },
            {
              "last_affected": "3.46.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ai.h2o:h2o-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.30.0.7"
            },
            {
              "last_affected": "3.46.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-10549"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-20T19:44:43Z",
    "nvd_published_at": "2025-03-20T10:15:17Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.",
  "id": "GHSA-wwr9-4gmr-xvq9",
  "modified": "2025-03-20T19:44:43Z",
  "published": "2025-03-20T12:32:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10549"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/h2oai/h2o-3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/h2oai/h2o-3/blob/51c25940ded8b7d0acc8f3f72329fd9dedbb3a34/h2o-core/src/main/java/water/api/ParseHandler.java#L80"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint"
}

GHSA-WX3G-P9W5-PP6M

Vulnerability from github – Published: 2024-06-13 00:31 – Updated: 2024-06-13 00:31
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-1963"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-12T23:15:49Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab\u0027s Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.",
  "id": "GHSA-wx3g-p9w5-pp6m",
  "modified": "2024-06-13T00:31:23Z",
  "published": "2024-06-13T00:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1963"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2376482"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443577"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WXGH-8GMR-3QH3

Vulnerability from github – Published: 2023-01-07 18:30 – Updated: 2023-01-12 23:43
VLAI
Summary
terminal-kit Inefficient Regular Expression Complexity vulnerability
Details

A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "terminal-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4306"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T23:43:03Z",
    "nvd_published_at": "2023-01-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.",
  "id": "GHSA-wxgh-8gmr-3qh3",
  "modified": "2023-01-12T23:43:03Z",
  "published": "2023-01-07T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4306"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/terminal-kit/commit/a2e446cc3927b559d0281683feb9b821e83b758c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cronvel/terminal-kit"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cronvel/terminal-kit/releases/tag/v2.1.8"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217620"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217620"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "terminal-kit Inefficient Regular Expression Complexity vulnerability"
}

GHSA-WXHQ-PM8V-CW75

Vulnerability from github – Published: 2019-06-05 20:50 – Updated: 2020-08-31 18:35
VLAI
Summary
Regular Expression Denial of Service in clean-css
Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 4.1.11 or higher.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "clean-css"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-05T20:49:47Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Version of `clean-css` prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 4.1.11 or higher.",
  "id": "GHSA-wxhq-pm8v-cw75",
  "modified": "2020-08-31T18:35:40Z",
  "published": "2019-06-05T20:50:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/785"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in clean-css"
}

GHSA-X2V6-6Q9M-6QX9

Vulnerability from github – Published: 2023-09-29 09:30 – Updated: 2024-04-04 07:58
VLAI
Details

An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1287",
      "CWE-1333",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-29T07:15:13Z",
    "severity": "LOW"
  },
  "details": "An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.",
  "id": "GHSA-x2v6-6q9m-6qx9",
  "modified": "2024-04-04T07:58:08Z",
  "published": "2023-09-29T09:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3906"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2071411"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/419213"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X38Q-XG2H-RXGX

Vulnerability from github – Published: 2021-09-23 23:14 – Updated: 2024-09-27 21:45
VLAI
Summary
Regular Expression Denial of Service in Leo Editor
Details

Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.2.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "leo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-23478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-23T16:37:27Z",
    "nvd_published_at": "2021-09-22T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.",
  "id": "GHSA-x38q-xg2h-rxgx",
  "modified": "2024-09-27T21:45:23Z",
  "published": "2021-09-23T23:14:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leo-editor/leo-editor/issues/1597"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leo-editor/leo-editor/commit/029833689060ee73f1bc1708cf4b182f0c66ec8e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x38q-xg2h-rxgx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/leo-editor/leo-editor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/leo/PYSEC-2021-338.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Regular Expression Denial of Service in Leo Editor"
}

GHSA-X3V3-8XG8-8V72

Vulnerability from github – Published: 2023-12-18 20:00 – Updated: 2023-12-28 22:03
VLAI
Summary
Sentry's Astro SDK vulnerable to ReDoS
Details

Impact

A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).

Applications that are using Sentry's Astro SDK are affected if:

  1. They're using Sentry instrumentation:
  2. they have manually registered Sentry Middleware (affected versions 7.78.0-7.86.0);
  3. or configured Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn’t disable the automatic server instrumentation (affected versions 7.82.0-7.86.0).
  4. They have configured routes with at least two path params (e.g. /foo/[p1]/bar/[p2]).

Patches

The problem has been patched in @sentry/astro@7.87.0. The corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are: * disable auto instrumentation if you're using Astro 3.5.0 or newer * and remove the manually added Sentry middleware (if it was added before).

After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@sentry/astro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.78.0"
            },
            {
              "fixed": "7.87.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-18T20:00:55Z",
    "nvd_published_at": "2023-12-20T14:15:21Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry\u0027s Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).\n\nApplications that are using Sentry\u0027s Astro SDK are affected if:\n\n1. They\u0027re using Sentry instrumentation:\n   - they have [manually registered](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) Sentry Middleware (affected versions 7.78.0-7.86.0);\n   - or [configured](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#configure-server-instrumentation) Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn\u2019t [disable the automatic server instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) (affected versions 7.82.0-7.86.0).\n2. They have configured routes with at least two path params (e.g. `/foo/[p1]/bar/[p2]`).\n\n### Patches\nThe problem has been patched in [@sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0).\nThe corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815\n\n### Workarounds\nWe strongly recommend upgrading to the latest SDK version. However, if it\u0027s not possible, the steps to mitigate the vulnerability without upgrade are:\n* [disable auto instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) if you\u0027re using Astro 3.5.0 or newer\n* and remove the manually added Sentry middleware (if it was [added](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) before).\n\nAfter these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can. \n\n### References\n* [Sentry docs: Manual Setup for Astro](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/)\n* [Release notes: sentry-javascript 7.87.0](https://github.com/getsentry/sentry-javascript/releases/tag/7.87.0)\n* [npm: @sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0)",
  "id": "GHSA-x3v3-8xg8-8v72",
  "modified": "2023-12-28T22:03:19Z",
  "published": "2023-12-18T20:00:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50249"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-javascript/pull/9815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"
    },
    {
      "type": "WEB",
      "url": "https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getsentry/sentry-javascript"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@sentry/astro/v/7.87.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Sentry\u0027s Astro SDK vulnerable to ReDoS"
}

GHSA-X4C5-C7RF-JJGV

Vulnerability from github – Published: 2025-02-14 17:56 – Updated: 2026-02-17 16:11
VLAI
Summary
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Details

Summary

By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.

Details

The issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:

headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);

The regular expression /[\w-]+(?=-preview)/g encounters a backtracking issue when it processes a large number of characters followed by the - symbol. e.g., the attack string:

"" + "A".repeat(100000) + "-"

PoC

The gist Here is the reproduction process for the vulnerability: 1. run npm i @octokit/endpoint 2. Move poc.js to the root directory of the same level as README.md 3. run node poc.js result: 4. then the program will be stuck forever with high CPU usage

import { endpoint } from "@octokit/endpoint";
// import { parse } from "./node_modules/@octokit/endpoint/dist-src/parse.js";
const options = {  
  method: "POST",
  url: "/graphql", // Ensure that the URL ends with "/graphql"
  headers: {
    accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
    "content-type": "text/plain",
  },
  mediaType: {
    previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
    format: "raw", // Optional media format
  },
  baseUrl: "https://api.github.com",
};

const startTime = performance.now();
endpoint.parse(options);
const endTime = performance.now();
const duration = endTime - startTime;
console.log(`Endpoint execution time: ${duration} ms`);
  1. Import the endpoint module: First, import the endpoint module from the npm package @octokit/endpoint, which is used for handling GitHub API requests.

  2. Construct the options object that triggers a ReDoS attack: The following member variables are critical in constructing the options object:

  3. url: Set to "/graphql", ensuring the URL ends with /graphql to match the format for GitHub's GraphQL API.
  4. headers:

    accept: A long attack string is crafted with "A".repeat(100000) + "-", which will be passed to the regular expression and cause a backtracking attack (ReDoS).

  5. mediaType:

    previews: Set to ["test-preview"], ensuring mediaType.previews exists and has values.

    format: Set to "raw", indicating raw data format.

  6. Call the endpoint.parse(options) function and record the time: Call the endpoint.parse(options) function and use performance.now() to record the start and end times, measuring the execution duration.

  7. Calculate the time difference and output it: Compute the difference between the start and end times and output it using console.log. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase. 2

Impact

What kind of vulnerability is it?

This is a Regular Expression Denial of Service (ReDoS) vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression /[\w-]+(?=-preview)/g is vulnerable because it attempts to match long strings of characters followed by a hyphen (-), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.

Who is impacted?

This vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking. In addition to directly affecting applications using the @octokit/endpoint package, the impact is more widespread because @octokit/endpoint is a library used to wrap REST APIs, including GitHub's API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests. Attackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of @octokit/endpoint.

Solution

To resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to (?<![\w-])[\w-]+(?=-preview), we prevent the issue. Here is how this change solves the problem:

  1. Old Regular Expression: /[\w-]+(?=-preview)/g
  2. This regular expression matches any sequence of word characters (\w) and hyphens (-) followed by -preview.
  3. The issue arises when the regex engine encounters a long string of characters followed by a -, causing excessive backtracking and high CPU usage.
  4. New Regular Expression: (?<![\w-])[\w-]+(?=-preview)
  5. This updated regular expression uses a negative lookbehind (?<![\w-]), ensuring that the matched string is not preceded by any word characters or hyphens (\w or -).
  6. The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn't cause backtracking issues when processing long attack strings.
  7. By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.

Full Solution Example:

The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62: 1. Update the Regular Expression: In the parse.ts file (or wherever the original regex is defined), replace the existing regular expression:

const previewsFromAcceptHeader =
          headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);

With the updated one:

const previewsFromAcceptHeader =
          headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || ([] as string[]);
  1. Test the Change: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:
  2. The functionality remains correct and the expected matches still occur.
  3. The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.
  4. Deploy the Fix: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/endpoint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.5"
            },
            {
              "fixed": "9.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/endpoint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-14T17:56:18Z",
    "nvd_published_at": "2025-02-14T20:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nBy crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.\n\n### Details\nThe issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n```ts\nheaders.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nThe regular expression `/[\\w-]+(?=-preview)/g` encounters a backtracking issue when it processes `a large number of characters` followed by the `-` symbol.\ne.g., the attack string: \n```js\n\"\" + \"A\".repeat(100000) + \"-\"\n```\n\n### PoC\n[The gist](https://gist.github.com/ShiyuBanzhou/a17202ac1ad403a80ca302466d5e56c4)\nHere is the reproduction process for the vulnerability:\n1. run `npm i @octokit/endpoint`\n2. Move `poc.js` to the root directory of the same level as `README.md`\n3. run `node poc.js`\nresult:\n4. then the program will be stuck forever with high CPU usage\n```js\nimport { endpoint } from \"@octokit/endpoint\";\n// import { parse } from \"./node_modules/@octokit/endpoint/dist-src/parse.js\";\nconst options = {  \n  method: \"POST\",\n  url: \"/graphql\", // Ensure that the URL ends with \"/graphql\"\n  headers: {\n    accept: \"\" + \"A\".repeat(100000) + \"-\", // Pass in the attack string\n    \"content-type\": \"text/plain\",\n  },\n  mediaType: {\n    previews: [\"test-preview\"], // Ensure that mediaType.previews exists and has values\n    format: \"raw\", // Optional media format\n  },\n  baseUrl: \"https://api.github.com\",\n};\n\nconst startTime = performance.now();\nendpoint.parse(options);\nconst endTime = performance.now();\nconst duration = endTime - startTime;\nconsole.log(`Endpoint execution time: ${duration} ms`);\n```\n1. **Import the `endpoint` module**: First, import the `endpoint` module from the npm package `@octokit/endpoint`, which is used for handling GitHub API requests.\n\n2. **Construct the `options` object that triggers a ReDoS attack**: The following member variables are critical in constructing the `options` object:\n- `url`: Set to `\"/graphql\"`, ensuring the URL ends with `/graphql` to match the format for GitHub\u0027s GraphQL API.\n- `headers`:\n\u003e `accept`: A long attack string is crafted with `\"A\".repeat(100000) + \"-\"`, which will be passed to the regular expression and cause a backtracking attack (ReDoS).\n\u003e \n- `mediaType`:\n\u003e`previews`: Set to `[\"test-preview\"]`, ensuring `mediaType.previews` exists and has values.\n\u003e\n\u003e`format`: Set to `\"raw\"`, indicating raw data format.\n\n3. **Call the `endpoint.parse(options)` function and record the time**: Call the `endpoint.parse(options)` function and use `performance.now()` to record the start and end times, measuring the execution duration.\n\n4. **Calculate the time difference and output it**: Compute the difference between the start and end times and output it using `console.log`. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase.\n\u003cimg width=\"800\" alt=\"2\" src=\"https://github.com/user-attachments/assets/9fc865a4-e150-42d5-bcd5-93ab6b0c29ef\" /\u003e\n\n### Impact\n#### What kind of vulnerability is it?\nThis is a **Regular Expression Denial of Service (ReDoS)** vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression `/[\\w-]+(?=-preview)/g` is vulnerable because it attempts to match long strings of characters followed by a hyphen (`-`), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.\n#### Who is impacted?\nThis vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking.\nIn addition to directly affecting applications using the `@octokit/endpoint` package, the impact is more widespread because `@octokit/endpoint` is a library used to wrap REST APIs, including GitHub\u0027s API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests.\nAttackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of `@octokit/endpoint`.\n\n### Solution\nTo resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to `(?\u003c![\\w-])[\\w-]+(?=-preview)`, we prevent the issue.\nHere is how this change solves the problem:\n\n1. **Old Regular Expression**: `/[\\w-]+(?=-preview)/g`\n- This regular expression matches any sequence of word characters (`\\w`) and hyphens (`-`) followed by `-preview`.\n- The issue arises when the regex engine encounters a long string of characters followed by a `-`, causing excessive backtracking and high CPU usage.\n2. **New Regular Expression**: `(?\u003c![\\w-])[\\w-]+(?=-preview)`\n- This updated regular expression uses a negative lookbehind `(?\u003c![\\w-])`, ensuring that the matched string is not preceded by any word characters or hyphens (`\\w` or `-`).\n- The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn\u0027t cause backtracking issues when processing long attack strings.\n- By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.\n\n#### Full Solution Example:\nThe specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n1. **Update the Regular Expression**: In the `parse.ts` file (or wherever the original regex is defined), replace the existing regular expression:\n```ts\nconst previewsFromAcceptHeader =\n          headers.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nWith the updated one:\n```ts\nconst previewsFromAcceptHeader =\n          headers.accept.match(/(?\u003c![\\w-])[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\n\n2. **Test the Change**: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:\n- The functionality remains correct and the expected matches still occur.\n- The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.\n3. **Deploy the Fix**: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.",
  "id": "GHSA-x4c5-c7rf-jjgv",
  "modified": "2026-02-17T16:11:00Z",
  "published": "2025-02-14T17:56:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octokit/endpoint.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.