Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-X4HG-HFWF-P9MW

Vulnerability from github – Published: 2026-07-02 20:20 – Updated: 2026-07-02 20:20
VLAI
Summary
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Details

Summary

The HTMLInputElement.checkValidity() method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.

Fix

Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on main. Added: - Pattern length limit (1024 characters) - Nested quantifier detection (hasNestedQuantifiers) that rejects patterns like (a+)+ before constructing the regex - Patterns exceeding limits are treated as non-matching (safe default)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@asymmetric-effort/nogginlessdom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:20:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `HTMLInputElement.checkValidity()` method constructed a `RegExp` directly from the user-controlled `pattern` property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.\n\n## Fix\n\nFixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on `main`. Added:\n- Pattern length limit (1024 characters)\n- Nested quantifier detection (`hasNestedQuantifiers`) that rejects patterns like `(a+)+` before constructing the regex\n- Patterns exceeding limits are treated as non-matching (safe default)",
  "id": "GHSA-x4hg-hfwf-p9mw",
  "modified": "2026-07-02T20:20:04Z",
  "published": "2026-07-02T20:20:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/NogginLessDom/security/advisories/GHSA-x4hg-hfwf-p9mw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/asymmetric-effort/NogginLessDom"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation"
}

GHSA-X55W-VJJP-222R

Vulnerability from github – Published: 2021-09-29 17:12 – Updated: 2022-08-10 23:43
VLAI
Summary
inflect vulnerable to Inefficient Regular Expression Complexity
Details

inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T19:27:17Z",
    "nvd_published_at": "2021-09-27T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity",
  "id": "GHSA-x55w-vjjp-222r",
  "modified": "2022-08-10T23:43:58Z",
  "published": "2021-09-29T17:12:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pksunkara/inflect/commit/a9a0a8e9561c3487854c7cae42565d9652ec858b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pksunkara/inflect"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/4612b31a-072b-4f61-a916-c7e4cbc2042a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "inflect vulnerable to Inefficient Regular Expression Complexity"
}

GHSA-X5CV-MQXQ-8Q96

Vulnerability from github – Published: 2023-05-05 00:30 – Updated: 2024-04-04 03:49
VLAI
Details

A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-04T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.",
  "id": "GHSA-x5cv-mqxq-8q96",
  "modified": "2024-04-04T03:49:17Z",
  "published": "2023-05-05T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1894"
    },
    {
      "type": "WEB",
      "url": "https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5GF-QVW8-R2RM

Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2026-05-20 02:06
VLAI
Summary
pm2 Regular Expression Denial of Service vulnerability
Details

A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T22:52:17Z",
    "nvd_published_at": "2025-06-09T19:15:25Z",
    "severity": "LOW"
  },
  "details": "A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-x5gf-qvw8-r2rm",
  "modified": "2026-05-20T02:06:26Z",
  "published": "2025-06-09T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/issues/6075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/pull/5971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/commit/8b9354800a1d157cb9503a3ec414ef1e4700dc1c"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Unitech/pm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/blob/ba62cae9b9b7116ee758b70f538919a52515fa26/CHANGELOG.md?plain=1#L36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/releases/tag/v7.0.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.311662"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.311662"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.585750"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pm2 Regular Expression Denial of Service vulnerability"
}

GHSA-X6FG-F45M-JF5Q

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2026-03-03 20:03
VLAI
Summary
Regular Expression Denial of Service in semver
Details

Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Recommendation

Update to version 4.3.2 or later

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "semver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.4"
            },
            {
              "fixed": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-8855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:02:25Z",
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n\n\n## Recommendation\n\nUpdate to version 4.3.2 or later",
  "id": "GHSA-x6fg-f45m-jf5q",
  "modified": "2026-03-03T20:03:27Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8855"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/7102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-semver/commit/5c4c9f6e26c7052a42b5ced2a7481c5c9b4363a0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-semver/commit/c80180d8341a8ada0236815c29a2be59864afd70"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x6fg-f45m-jf5q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/npm/node-semver"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/31"
    },
    {
      "type": "WEB",
      "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/86957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in semver"
}

GHSA-XFFM-G5W8-QVG7

Vulnerability from github – Published: 2025-07-18 20:39 – Updated: 2025-07-28 17:34
VLAI
Summary
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
Details

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require("@eslint/plugin-kit");

const str = `${"A".repeat(1000000)}?: 1 B: 2`;

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")

// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage

Impact

This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@eslint/plugin-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-18T20:39:12Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.\n\n### Details\n\nThe regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`.\n\n### PoC\n\n```javascript\nconst { ConfigCommentParser } = require(\"@eslint/plugin-kit\");\n\nconst str = `${\"A\".repeat(1000000)}?: 1 B: 2`;\n\nconsole.log(\"start\")\nvar parser = new ConfigCommentParser();\nconsole.log(parser.parseJSONLikeConfig(str));\nconsole.log(\"end\")\n\n// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`\n// then the program will stuck forever with high CPU usage\n```\n\n### Impact\n\nThis is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.",
  "id": "GHSA-xffm-g5w8-qvg7",
  "modified": "2025-07-28T17:34:44Z",
  "published": "2025-07-18T20:39:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eslint/rewrite/security/advisories/GHSA-xffm-g5w8-qvg7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eslint/rewrite"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser"
}

GHSA-XH9H-692F-MMG4

Vulnerability from github – Published: 2025-08-20 03:30 – Updated: 2025-08-29 20:14
VLAI
Summary
Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module
Details

Withdrawn Advisory

This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following:

These CVEs are invalid. Knack is a CLI framework used by Azure CLI. It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.

This link is maintained to preserve external references.

Original Description

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "knack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T15:01:00Z",
    "nvd_published_at": "2025-08-20T03:15:35Z",
    "severity": "LOW"
  },
  "details": "### Withdrawn Advisory\nThis advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack\u0027s intended functionality. The maintainer states the following:\n\n\u003e These CVEs are invalid. Knack is a CLI framework used by [Azure CLI](https://github.com/Azure/azure-cli). It\u0027s a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.\n\nThis link is maintained to preserve external references.\n\n### Original Description\nMicrosoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).",
  "id": "GHSA-xh9h-692f-mmg4",
  "modified": "2025-08-29T20:14:37Z",
  "published": "2025-08-20T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/knack/issues/281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/knack/issues/281#issuecomment-3218922941"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/knack"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module",
  "withdrawn": "2025-08-29T20:14:37Z"
}

GHSA-XMC8-CJFR-PHX3

Vulnerability from github – Published: 2019-03-18 15:59 – Updated: 2021-09-21 22:36
VLAI
Summary
Regular Expression Denial of Service in highcharts
Details

Versions of highcharts prior to 6.1.0 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 6.1.0 or higher.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "highcharts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `highcharts` prior to 6.1.0 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 6.1.0 or higher.",
  "id": "GHSA-xmc8-cjfr-phx3",
  "modified": "2021-09-21T22:36:57Z",
  "published": "2019-03-18T15:59:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/highcharts/commit/7c547e1e0f5e4379f94396efd559a566668c0dfa"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xmc8-cjfr-phx3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/highcharts/highcharts"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190715-0001"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:highcharts:20180225"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in highcharts"
}

GHSA-XQ93-2HG3-RPJX

Vulnerability from github – Published: 2025-10-30 15:32 – Updated: 2025-10-30 15:32
VLAI
Details

Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.",
  "id": "GHSA-xq93-2hg3-rpjx",
  "modified": "2025-10-30T15:32:37Z",
  "published": "2025-10-30T15:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5342"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5342.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XR9W-X6GW-C9MJ

Vulnerability from github – Published: 2023-02-25 06:30 – Updated: 2023-04-03 17:18
VLAI
Summary
Duplicate advisory: Deno vulnerable to Regular Expression Denial of Service
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-jc97-h3h9-7xh6. This link is maintained to preserve external references.

Original Description

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s,s/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. This issue has been patched in version 1.31.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "deno"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-28T14:00:55Z",
    "nvd_published_at": "2023-02-25T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of [GHSA-jc97-h3h9-7xh6](https://github.com/advisories/GHSA-jc97-h3h9-7xh6). This link is maintained to preserve external references.\n\n## Original Description\nVersions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. This issue has been patched in version 1.31.0.",
  "id": "GHSA-xr9w-x6gw-c9mj",
  "modified": "2023-04-03T17:18:44Z",
  "published": "2023-02-25T06:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26103"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/pull/17722"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/commit/cf06a7c7e672880e1b38598fe445e2c50b4a9d06"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/denoland/deno"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/blob/2b247be517d789a37e532849e2e40b724af0918f/ext/http/01_http.js%23L395-L409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/denoland/deno/releases/tag/v1.31.0"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-RUST-DENO-3315970"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate advisory: Deno vulnerable to Regular Expression Denial of Service",
  "withdrawn": "2023-04-03T17:18:44Z"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.