CWE-185
Allowed-with-ReviewIncorrect Regular Expression
Abstraction: Class · Status: Draft
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
70 vulnerabilities reference this CWE, most recent first.
GHSA-4JPM-QV63-23QH
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2024-01-23 18:31A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.
{
"affected": [],
"aliases": [
"CVE-2020-7929"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-01T16:15:00Z",
"severity": "MODERATE"
},
"details": "A user authorized to perform database queries may trigger denial of service by issuing specially crafted query contain a type of regex. This issue affects: MongoDB Inc. MongoDB Server v3.6 versions prior to 3.6.21 and MongoDB Server v4.0 versions prior to 4.0.20.",
"id": "GHSA-4jpm-qv63-23qh",
"modified": "2024-01-23T18:31:09Z",
"published": "2022-05-24T22:01:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7929"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-51083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-53CQ-V8H5-F4V2
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-10-27 19:00A vulnerability in the Split DNS feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability occurs because the regular expression (regex) engine that is used with the Split DNS feature of affected releases may time out when it processes the DNS name list configuration. An attacker could exploit this vulnerability by trying to resolve an address or hostname that the affected device handles. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
{
"affected": [],
"aliases": [
"CVE-2020-3408"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-24T18:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Split DNS feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. The vulnerability occurs because the regular expression (regex) engine that is used with the Split DNS feature of affected releases may time out when it processes the DNS name list configuration. An attacker could exploit this vulnerability by trying to resolve an address or hostname that the affected device handles. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.",
"id": "GHSA-53cq-v8h5-f4v2",
"modified": "2022-10-27T19:00:33Z",
"published": "2022-05-24T17:29:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-3408"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-splitdns-SPWqpdGW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-573F-X89G-HQP9
Vulnerability from github – Published: 2026-03-05 21:29 – Updated: 2026-03-06 22:44Description
Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1. For example, a request sent with Content-Type: application/json garbage passes validation and is processed normally, rather than being rejected with 415 Unsupported Media Type.
When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.
Impact
An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.
Workarounds
Deploy a WAF rule to protect against this
Fix
The fix is available starting with v5.8.1.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.0"
},
"package": {
"ecosystem": "npm",
"name": "fastify"
},
"ranges": [
{
"events": [
{
"introduced": "5.7.2"
},
{
"fixed": "5.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-3419"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-05T21:29:54Z",
"nvd_published_at": "2026-03-06T18:16:22Z",
"severity": "MODERATE"
},
"details": "# Description\n\nFastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of [RFC 9110 \u00a78.3.1](https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with `Content-Type: application/json garbage` passes validation and is processed normally, rather than being rejected with `415 Unsupported Media Type`.\n\nWhen regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.\n\n## Impact\n\nAn attacker can send requests with RFC-invalid `Content-Type` headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.\n\n## Workarounds\n\nDeploy a WAF rule to protect against this\n\n## Fix\n\nThe fix is available starting with v5.8.1.",
"id": "GHSA-573f-x89g-hqp9",
"modified": "2026-03-06T22:44:34Z",
"published": "2026-03-05T21:29:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/security/advisories/GHSA-573f-x89g-hqp9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3419"
},
{
"type": "WEB",
"url": "https://github.com/fastify/fastify/commit/67f6c9b32cb3623d3c9470cc17ed830dd2f083d7"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-573f-x89g-hqp9"
},
{
"type": "PACKAGE",
"url": "https://github.com/fastify/fastify"
},
{
"type": "WEB",
"url": "https://httpwg.org/specs/rfc9110.html#field.content-type"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Fastify\u0027s Missing End Anchor in \"subtypeNameReg\" Allows Malformed Content-Types to Pass Validation"
}
GHSA-6FX8-H7JM-663J
Vulnerability from github – Published: 2025-01-16 00:31 – Updated: 2025-09-03 12:56An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC
async function exploit() {
const parseuri = require("parse-uri");
// This input is designed to cause excessive backtracking in the regex
const craftedInput = 'http://example.com/' + 'a'.repeat(30000) + '?key=value';
const result = await parseuri(craftedInput);
}
await exploit();
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.0.0"
},
"package": {
"ecosystem": "npm",
"name": "parseuri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36751"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-17T15:39:05Z",
"nvd_published_at": "2025-01-15T22:15:26Z",
"severity": "MODERATE"
},
"details": "An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.\n ## PoC\n```js\nasync function exploit() {\n const parseuri = require(\"parse-uri\");\n // This input is designed to cause excessive backtracking in the regex\n const craftedInput = \u0027http://example.com/\u0027 + \u0027a\u0027.repeat(30000) + \u0027?key=value\u0027;\n const result = await parseuri(craftedInput);\n }\nawait exploit();\n```",
"id": "GHSA-6fx8-h7jm-663j",
"modified": "2025-09-03T12:56:48Z",
"published": "2025-01-16T00:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36751"
},
{
"type": "WEB",
"url": "https://github.com/Kikobeats/parse-uri/issues/14"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/78168687da94e8aa2e0357f2456b0233"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "parse-uri Regular expression Denial of Service (ReDoS)"
}
GHSA-72XP-P242-47P9
Vulnerability from github – Published: 2026-05-27 16:55 – Updated: 2026-05-27 16:55Description
Symfony routes can declare a requirements regex per path parameter, e.g. a route /{_locale}/blog with requirements: { _locale: 'en|fr|de' }. The Twig path() / url() helpers (backed by UrlGenerator) validate supplied parameter values against that regex before building the URL.
UrlGenerator constructs the validation pattern as '#^'.$req.'$#', where $req is the raw requirement string. For a requirement expressed as an alternation, e.g. _locale: 'ar|bg|...|vi|...|zh_CN' (very common), ^ and $ anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like /evil.com satisfies the requirement (because it contains vi), and the generated path becomes //evil.com/...: a protocol-relative URL the browser navigates off-site.
Resolution
The UrlGenerator class now wraps the requirement in a non-capturing group so the ^ and $ anchors apply to the whole alternation.
The patch for this issue is available here for branch 5.4.
Credits
Symfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/routing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/routing"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/routing"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/routing"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.4.52"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.4.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45065"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T16:55:16Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Description\n\nSymfony routes can declare a requirements regex per path parameter, e.g. a route `/{_locale}/blog` with `requirements: { _locale: \u0027en|fr|de\u0027 }`. The Twig `path()` / `url()` helpers (backed by `UrlGenerator`) validate supplied parameter values against that regex before building the URL.\n\nUrlGenerator constructs the validation pattern as `\u0027#^\u0027.$req.\u0027$#\u0027`, where `$req` is the raw requirement string. For a requirement expressed as an alternation, e.g. `_locale: \u0027ar|bg|...|vi|...|zh_CN\u0027` (very common), `^` and `$` anchor only the first and last alternatives, so any middle alternative matches as an unanchored substring. A value like `/evil.com` satisfies the requirement (because it contains `vi`), and the generated path becomes `//evil.com/...`: a protocol-relative URL the browser navigates off-site.\n\n### Resolution\n\nThe `UrlGenerator` class now wraps the requirement in a non-capturing group so the `^` and `$` anchors apply to the whole alternation.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a) for branch 5.4.\n\n### Credits\n\nSymfony would like to thank Claude Mythos Preview (via Project Glasswing) for reporting the issue and providing the fix.",
"id": "GHSA-72xp-p242-47p9",
"modified": "2026-05-27T16:55:16Z",
"published": "2026-05-27T16:55:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-72xp-p242-47p9"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/bcf487c22f3240ba994124e0e0fe8616f3cfc47a"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2026-45065.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2026-45065.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/symfony/symfony"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2026-45065"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Symfony has a UrlGenerator Route-Requirement Bypass via Unanchored Regex Alternation \u2192 Off-Site //host URL Injection"
}
GHSA-7J2X-32W6-P43P
Vulnerability from github – Published: 2026-03-20 20:35 – Updated: 2026-03-25 20:53Summary
The ensureSize() function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of <svg before the actual SVG root element. When the SVG is subsequently rendered via @resvg/resvg-js on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes.
Details
The vulnerable function used String.prototype.replace() with a non-global regex to find and rewrite the first <svg tag's dimensions. Since the regex does not distinguish between <svg appearing inside non-element XML constructs and the actual SVG root element, a crafted input can cause the regex to match a decoy instead of the real element, leaving the actual SVG dimensions unclamped.
In the Node.js rendering path, renderAsync from @resvg/resvg-js was called without a fitTo constraint, so it would render at whatever dimensions the SVG element specified — potentially allocating gigabytes of memory.
The browser code path is not vulnerable because it uses the clamped size return value from ensureSize() to set canvas.width and canvas.height directly.
Impact
Any application that passes untrusted or user-supplied SVG content through @dicebear/converter's Node.js conversion functions (toPng, toJpeg, toWebp, toAvif) is vulnerable to denial of service via excessive memory allocation. Note that @dicebear/converter can be used independently of DiceBear's avatar generation — any SVG string can be passed to the conversion functions.
The impact is limited to availability — there is no data disclosure or integrity impact. The browser code path is not affected.
Fix
The regex-based approach has been replaced with XML-aware processing using fast-xml-parser to correctly identify and modify the SVG root element's attributes. Additionally, a fitTo constraint has been added to the renderAsync call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.4.1"
},
"package": {
"ecosystem": "npm",
"name": "@dicebear/converter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33418"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-20T20:35:40Z",
"nvd_published_at": "2026-03-24T14:16:30Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of `\u003csvg` before the actual SVG root element. When the SVG is subsequently rendered via `@resvg/resvg-js` on the Node.js code path, it renders at the attacker-specified dimensions, potentially causing out-of-memory crashes.\n\n## Details\n\nThe vulnerable function used `String.prototype.replace()` with a non-global regex to find and rewrite the first `\u003csvg` tag\u0027s dimensions. Since the regex does not distinguish between `\u003csvg` appearing inside non-element XML constructs and the actual SVG root element, a crafted input can cause the regex to match a decoy instead of the real element, leaving the actual SVG dimensions unclamped.\n\nIn the Node.js rendering path, `renderAsync` from `@resvg/resvg-js` was called without a `fitTo` constraint, so it would render at whatever dimensions the SVG element specified \u2014 potentially allocating gigabytes of memory.\n\nThe browser code path is **not** vulnerable because it uses the clamped `size` return value from `ensureSize()` to set `canvas.width` and `canvas.height` directly.\n\n## Impact\n\nAny application that passes untrusted or user-supplied SVG content through `@dicebear/converter`\u0027s Node.js conversion functions (`toPng`, `toJpeg`, `toWebp`, `toAvif`) is vulnerable to denial of service via excessive memory allocation. Note that `@dicebear/converter` can be used independently of DiceBear\u0027s avatar generation \u2014 any SVG string can be passed to the conversion functions.\n\nThe impact is limited to availability \u2014 there is no data disclosure or integrity impact. The browser code path is not affected.\n\n## Fix\n\nThe regex-based approach has been replaced with XML-aware processing using `fast-xml-parser` to correctly identify and modify the SVG root element\u0027s attributes. Additionally, a `fitTo` constraint has been added to the `renderAsync` call as defense-in-depth, ensuring the rendered output is always bounded regardless of SVG content.",
"id": "GHSA-7j2x-32w6-p43p",
"modified": "2026-03-25T20:53:40Z",
"published": "2026-03-20T20:35:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dicebear/dicebear/security/advisories/GHSA-7j2x-32w6-p43p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33418"
},
{
"type": "PACKAGE",
"url": "https://github.com/dicebear/dicebear"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()"
}
GHSA-7V9P-34R2-Q668
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2023-10-27 11:36Jenkins Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.
In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.
Jenkins Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.
Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:audit-trail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-2288"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-21T16:49:28Z",
"nvd_published_at": "2020-10-08T13:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.\n\nIn Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.\n\nJenkins Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.\n\nAdditionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.",
"id": "GHSA-7v9p-34r2-q668",
"modified": "2023-10-27T11:36:00Z",
"published": "2022-05-24T17:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2288"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/audit-trail-plugin/commit/43433147bec001f13536534d3d282ce3c28b26be"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/audit-trail-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-1846"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/10/08/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect default pattern in Jenkins Audit Trail Plugin"
}
GHSA-8454-MW8R-4MJQ
Vulnerability from github – Published: 2025-03-04 15:31 – Updated: 2025-11-03 21:33It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8.
{
"affected": [],
"aliases": [
"CVE-2025-1934"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T14:15:38Z",
"severity": "MODERATE"
},
"details": "It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability affects Firefox \u003c 136 and Firefox ESR \u003c 128.8.",
"id": "GHSA-8454-mw8r-4mjq",
"modified": "2025-11-03T21:33:04Z",
"published": "2025-03-04T15:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1934"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1942881"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-16"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-17"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8462-Q7X7-G2X4
Vulnerability from github – Published: 2018-09-17 20:44 – Updated: 2023-09-05 23:09The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "bson"
},
"ranges": [
{
"events": [
{
"introduced": "0.5.0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-13863"
],
"database_specific": {
"cwe_ids": [
"CWE-185",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:24:09Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long untrusted string.",
"id": "GHSA-8462-q7x7-g2x4",
"modified": "2023-09-05T23:09:22Z",
"published": "2018-09-17T20:44:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13863"
},
{
"type": "WEB",
"url": "https://github.com/mongodb/js-bson/commit/bd61c45157c53a1698ff23770160cf4783e9ea4a"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-8462-q7x7-g2x4"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongodb/js-bson"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/npm:bson:20180225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "js-bson vulnerable to REDoS"
}
GHSA-8H5J-7XVQ-97FQ
Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2022-05-14 01:49An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.
{
"affected": [],
"aliases": [
"CVE-2018-17984"
],
"database_specific": {
"cwe_ids": [
"CWE-185"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-04T23:29:00Z",
"severity": "HIGH"
},
"details": "An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.",
"id": "GHSA-8h5j-7xvq-97fq",
"modified": "2022-05-14T01:49:19Z",
"published": "2022-05-14T01:49:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-17984"
},
{
"type": "WEB",
"url": "https://0x09al.github.io/security/ispconfig/exploit/vulnerability/2018/08/20/bug-or-backdoor-ispconfig-rce.html"
},
{
"type": "WEB",
"url": "https://github.com/0x09AL/0x09al.github.io/blob/master/_posts/2018-08-20-bug-or-backdoor-ispconfig-rce.markdown"
},
{
"type": "WEB",
"url": "https://www.ispconfig.org/blog/ispconfig-3-1-13-released-important-security-bugfix"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-45
Strategy: Refactoring
Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
CAPEC-79: Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.