CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
CVE-2025-55152 (GCVE-0-2025-55152)
Vulnerability from cvelistv5 – Published: 2025-08-09 01:29 – Updated: 2025-08-11 13:33| URL | Tags |
|---|---|
| https://github.com/oakserver/oak/security/advisor… | x_refsource_CONFIRM |
| https://github.com/oakserver/oak/commit/b60e60330… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55152",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T13:33:12.274447Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T13:33:40.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oak",
"vendor": "oakserver",
"versions": [
{
"status": "affected",
"version": "\u003c 17.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "oak is a middleware framework for Deno\u0027s native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it\u0027s possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T01:29:54.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oakserver/oak/security/advisories/GHSA-r3v7-pc4g-7xp9"
},
{
"name": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oakserver/oak/commit/b60e60330ef227707c4dc13ef0ea36192d894f44"
}
],
"source": {
"advisory": "GHSA-r3v7-pc4g-7xp9",
"discovery": "UNKNOWN"
},
"title": "oak: ReDoS in x-forwarded-proto and x-forwarded-for headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55152",
"datePublished": "2025-08-09T01:29:54.545Z",
"dateReserved": "2025-08-07T18:27:23.305Z",
"dateUpdated": "2025-08-11T13:33:40.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54796 (GCVE-0-2025-54796)
Vulnerability from cvelistv5 – Published: 2025-08-01 23:38 – Updated: 2025-08-04 15:19| URL | Tags |
|---|---|
| https://github.com/9001/copyparty/security/adviso… | x_refsource_CONFIRM |
| https://github.com/9001/copyparty/commit/09910ba8… | x_refsource_MISC |
| https://github.com/9001/copyparty/releases/tag/v1.18.9 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54796",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-04T15:19:56.634822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T15:19:59.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "copyparty",
"vendor": "9001",
"versions": [
{
"status": "affected",
"version": "\u003c 1.18.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the \"Recent Uploads\" page allows arbitrary RegExes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-833",
"description": "CWE-833: Deadlock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-01T23:38:27.221Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6"
},
{
"name": "https://github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83"
},
{
"name": "https://github.com/9001/copyparty/releases/tag/v1.18.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/9001/copyparty/releases/tag/v1.18.9"
}
],
"source": {
"advisory": "GHSA-5662-2rj7-f2v6",
"discovery": "UNKNOWN"
},
"title": "Copyparty is vulnerable to Regex Denial of Service (ReDoS) attacks through \"Recent Uploads\" page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54796",
"datePublished": "2025-08-01T23:38:27.221Z",
"dateReserved": "2025-07-29T16:50:28.395Z",
"dateUpdated": "2025-08-04T15:19:59.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54364 (GCVE-0-2025-54364)
Vulnerability from cvelistv5 – Published: 2025-08-20 00:00 – Updated: 2025-08-26 13:42- CWE-1333 - Inefficient Regular Expression Complexity
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54364",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-26T13:42:34.239313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T13:42:50.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Knack",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "0.12.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression pattern: \"\\s(:param)\\s+(.+?)\\s:(.*)\" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:39:18.264Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/microsoft/knack"
},
{
"url": "https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-54364",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-07-21T00:00:00.000Z",
"dateUpdated": "2025-08-26T13:42:50.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54363 (GCVE-0-2025-54363)
Vulnerability from cvelistv5 – Published: 2025-08-20 00:00 – Updated: 2025-08-21 15:37- CWE-1333 - Inefficient Regular Expression Complexity
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54363",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:37:39.030815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:37:53.235Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Knack",
"vendor": "Microsoft",
"versions": [
{
"status": "affected",
"version": "0.12.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: \"\\s(:param)\\s+(.+?)\\s:(.*)\" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:37:24.848Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/microsoft/knack"
},
{
"url": "https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"
},
{
"url": "https://github.com/microsoft/knack/issues/281"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-54363",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-07-21T00:00:00.000Z",
"dateUpdated": "2025-08-21T15:37:24.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53539 (GCVE-0-2025-53539)
Vulnerability from cvelistv5 – Published: 2025-07-07 19:16 – Updated: 2025-07-07 20:51- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/rennf93/fastapi-guard/security… | x_refsource_CONFIRM |
| https://github.com/rennf93/fastapi-guard/commit/d… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| rennf93 | fastapi-guard |
Affected:
< 3.0.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53539",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T20:51:32.553883Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T20:51:58.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fastapi-guard",
"vendor": "rennf93",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FastAPI Guard is a security library for FastAPI that provides middleware to control IPs, log requests, and detect penetration attempts. fastapi-guard\u0027s penetration attempts detection uses regex to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs. This vulnerability is fixed in 3.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T19:16:02.559Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rennf93/fastapi-guard/security/advisories/GHSA-j47q-rc62-w448",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rennf93/fastapi-guard/security/advisories/GHSA-j47q-rc62-w448"
},
{
"name": "https://github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f"
}
],
"source": {
"advisory": "GHSA-j47q-rc62-w448",
"discovery": "UNKNOWN"
},
"title": "ReDoS in fastapi-guard\u0027s penetration attempts detector"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53539",
"datePublished": "2025-07-07T19:16:02.559Z",
"dateReserved": "2025-07-02T15:15:11.515Z",
"dateUpdated": "2025-07-07T20:51:58.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48887 (GCVE-0-2025-48887)
Vulnerability from cvelistv5 – Published: 2025-05-30 17:36 – Updated: 2025-05-30 17:58- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/vllm-project/vllm/security/adv… | x_refsource_CONFIRM |
| https://github.com/vllm-project/vllm/pull/18454 | x_refsource_MISC |
| https://github.com/vllm-project/vllm/commit/4fc1b… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| vllm-project | vllm |
Affected:
>= 0.6.4, < 0.9.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48887",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T17:58:00.784274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T17:58:23.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vllm",
"vendor": "vllm-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.6.4, \u003c 0.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable. The pattern contains multiple nested quantifiers, optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking. Version 0.9.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T17:36:16.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25"
},
{
"name": "https://github.com/vllm-project/vllm/pull/18454",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/pull/18454"
},
{
"name": "https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601"
}
],
"source": {
"advisory": "GHSA-w6q7-j642-7c25",
"discovery": "UNKNOWN"
},
"title": "vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48887",
"datePublished": "2025-05-30T17:36:16.716Z",
"dateReserved": "2025-05-27T20:14:34.297Z",
"dateUpdated": "2025-05-30T17:58:23.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48059 (GCVE-0-2025-48059)
Vulnerability from cvelistv5 – Published: 2025-06-20 16:50 – Updated: 2025-06-20 17:37- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/powsybl/powsybl-core/security/… | x_refsource_CONFIRM |
| https://github.com/powsybl/powsybl-core/commit/d8… | x_refsource_MISC |
| https://github.com/powsybl/powsybl-core/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| powsybl | powsybl-core |
Affected:
>= 6.3.0, < 6.7.2
Affected: >= 5.0.0, < 6.3.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48059",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-20T17:37:14.297952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T17:37:30.252Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "powsybl-core",
"vendor": "powsybl",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.3.0, \u003c 6.7.2"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 6.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 and com.powsybl:powsybl-contingency-api versions 5.0.0 to before 6.3.0, there is a a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the RegexCriterion class. This class compiles and evaluates an unvalidated, user-supplied regular expression against the identifier of an Identifiable object via Pattern.compile(regex).matcher(id).find(). If successfully exploited, a malicious actor can cause significant CPU exhaustion through repeated or recursive filter(...) calls \u2014 especially if performed over large network models or filtering operations. This issue has been patched in com.powsybl:powsybl-iidm-criteria 6.7.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T16:50:35.974Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-8qjw-9xgm-c9ff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-8qjw-9xgm-c9ff"
},
{
"name": "https://github.com/powsybl/powsybl-core/commit/d8398f689a5ccd505bd62eee2bd6670a29133110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/powsybl/powsybl-core/commit/d8398f689a5ccd505bd62eee2bd6670a29133110"
},
{
"name": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
}
],
"source": {
"advisory": "GHSA-8qjw-9xgm-c9ff",
"discovery": "UNKNOWN"
},
"title": "PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48059",
"datePublished": "2025-06-20T16:50:35.974Z",
"dateReserved": "2025-05-15T16:06:40.940Z",
"dateUpdated": "2025-06-20T17:37:30.252Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48058 (GCVE-0-2025-48058)
Vulnerability from cvelistv5 – Published: 2025-06-20 00:39 – Updated: 2025-06-20 13:28- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/powsybl/powsybl-core/security/… | x_refsource_CONFIRM |
| https://github.com/powsybl/powsybl-core/commit/72… | x_refsource_MISC |
| https://github.com/powsybl/powsybl-core/releases/… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| powsybl | powsybl-core |
Affected:
< 6.7.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-20T13:27:49.842890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T13:28:27.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "powsybl-core",
"vendor": "powsybl",
"versions": [
{
"status": "affected",
"version": "\u003c 6.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a potential polynomial Regular Expression Denial of Service (ReDoS) vulnerability in the PowSyBl\u0027s DataSource mechanism. If successfully exploited, a malicious actor can cause significant CPU consumption due to regex backtracking \u2014 even with polynomial patterns. This issue has been patched in com.powsybl:powsybl-commons: 6.7.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T00:39:06.725Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/powsybl/powsybl-core/security/advisories/GHSA-rqpx-f6rc-7hm5"
},
{
"name": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/powsybl/powsybl-core/commit/72f79dec6d4292f892fbddd68a19c67935c7d81f"
},
{
"name": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2"
}
],
"source": {
"advisory": "GHSA-rqpx-f6rc-7hm5",
"discovery": "UNKNOWN"
},
"title": "PowSyBl Core contains Polynomial REDoS\u2019es"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48058",
"datePublished": "2025-06-20T00:39:06.725Z",
"dateReserved": "2025-05-15T16:06:40.940Z",
"dateUpdated": "2025-06-20T13:28:27.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46560 (GCVE-0-2025-46560)
Vulnerability from cvelistv5 – Published: 2025-04-30 00:24 – Updated: 2025-04-30 13:09- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/vllm-project/vllm/security/adv… | x_refsource_CONFIRM |
| https://github.com/vllm-project/vllm/blob/8cac35b… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| vllm-project | vllm |
Affected:
>= 0.8.0, < 0.8.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46560",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T13:09:10.349287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T13:09:13.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-vc6m-hm49-g9qg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vllm",
"vendor": "vllm-project",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.8.0, \u003c 0.8.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., \u003c|audio_|\u003e, \u003c|image_|\u003e) with repeated tokens based on precomputed lengths. Due to \u200b\u200binefficient list concatenation operations\u200b\u200b, the algorithm exhibits \u200b\u200bquadratic time complexity (O(n\u00b2))\u200b\u200b, allowing malicious actors to trigger resource exhaustion via specially crafted inputs. This issue has been patched in version 0.8.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T00:24:53.750Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-vc6m-hm49-g9qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-vc6m-hm49-g9qg"
},
{
"name": "https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model_executor/models/phi4mm.py#L1182-L1197",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vllm-project/vllm/blob/8cac35ba435906fb7eb07e44fe1a8c26e8744f4e/vllm/model_executor/models/phi4mm.py#L1182-L1197"
}
],
"source": {
"advisory": "GHSA-vc6m-hm49-g9qg",
"discovery": "UNKNOWN"
},
"title": "vLLM phi4mm: Quadratic Time Complexity in Input Token Processing\u200b leads to denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46560",
"datePublished": "2025-04-30T00:24:53.750Z",
"dateReserved": "2025-04-24T21:10:48.174Z",
"dateUpdated": "2025-04-30T13:09:13.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-43880 (GCVE-0-2025-43880)
Vulnerability from cvelistv5 – Published: 2025-06-25 05:31 – Updated: 2025-06-25 13:35- CWE-1333 - Inefficient regular expression complexity
| Vendor | Product | Version | |
|---|---|---|---|
| GROWI, Inc. | GROWI |
Affected:
prior to v7.1.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-43880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-25T13:35:29.026488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T13:35:33.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GROWI",
"vendor": "GROWI, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to v7.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Inefficient regular expression complexity issue exists in GROWI prior to v7.1.6. If exploited, a logged-in user may cause a denial of service (DoS) condition."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient regular expression complexity",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-25T05:31:29.560Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://github.com/weseek/growi/pull/9487"
},
{
"url": "https://jvn.jp/en/jp/JVN21624250/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2025-43880",
"datePublished": "2025-06-25T05:31:29.560Z",
"dateReserved": "2025-06-13T01:56:06.794Z",
"dateUpdated": "2025-06-25T13:35:33.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.