CWE-1333
Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
CVE-2025-66020 (GCVE-0-2025-66020)
Vulnerability from cvelistv5 – Published: 2025-11-26 01:49 – Updated: 2025-11-26 14:16
VLAI
Title
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
Summary
Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/open-circle/valibot/security/a… | x_refsource_CONFIRM |
| https://github.com/open-circle/valibot/commit/cfb… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| open-circle | valibot |
Affected:
>= 0.31.0, < 1.2.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66020",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T14:15:40.424558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T14:16:54.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "valibot",
"vendor": "open-circle",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.31.0, \u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., \u003c100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application. This issue has been patched in version 1.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T01:49:38.276Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9"
},
{
"name": "https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc"
}
],
"source": {
"advisory": "GHSA-vqpr-j7v3-hqw9",
"discovery": "UNKNOWN"
},
"title": "Valibot has a ReDoS vulnerability in `EMOJI_REGEX`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66020",
"datePublished": "2025-11-26T01:49:38.276Z",
"dateReserved": "2025-11-21T01:08:02.613Z",
"dateUpdated": "2025-11-26T14:16:54.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6638 (GCVE-0-2025-6638)
Vulnerability from cvelistv5 – Published: 2025-09-12 10:46 – Updated: 2025-09-12 11:52
VLAI
Title
Regular Expression Denial of Service (ReDoS) in huggingface/transformers
Summary
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| huggingface | huggingface/transformers |
Affected:
unspecified , < 4.53.0
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6638",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-12T11:52:42.923436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T11:52:53.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "huggingface/transformers",
"vendor": "huggingface",
"versions": [
{
"lessThan": "4.53.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer\u0027s `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-12T10:46:07.934Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"
},
{
"url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"
}
],
"source": {
"advisory": "6a6c933f-9ce8-4ded-8b3b-2c1444c61f36",
"discovery": "EXTERNAL"
},
"title": "Regular Expression Denial of Service (ReDoS) in huggingface/transformers"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2025-6638",
"datePublished": "2025-09-12T10:46:07.934Z",
"dateReserved": "2025-06-25T14:07:29.841Z",
"dateUpdated": "2025-09-12T11:52:53.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68142 (GCVE-0-2025-68142)
Vulnerability from cvelistv5 – Published: 2025-12-16 18:06 – Updated: 2025-12-17 18:51
VLAI
Title
PyMdown Extensions has ReDOS bug in Figure Capture extension
Summary
PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they're able to upgrade.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/facelessuser/pymdown-extension… | x_refsource_CONFIRM |
| https://github.com/facelessuser/pymdown-extension… | x_refsource_MISC |
| https://pypi.org/project/pymdown-extensions/10.16.1 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| facelessuser | pymdown-extensions |
Affected:
< 10.16.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T14:52:35.207716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T18:51:08.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pymdown-extensions",
"vendor": "facelessuser",
"versions": [
{
"status": "affected",
"version": "\u003c 10.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they\u0027re able to upgrade."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T18:06:37.756Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq"
},
{
"name": "https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8"
},
{
"name": "https://pypi.org/project/pymdown-extensions/10.16.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://pypi.org/project/pymdown-extensions/10.16.1"
}
],
"source": {
"advisory": "GHSA-r6h4-mm7h-8pmq",
"discovery": "UNKNOWN"
},
"title": "PyMdown Extensions has ReDOS bug in Figure Capture extension"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68142",
"datePublished": "2025-12-16T18:06:37.756Z",
"dateReserved": "2025-12-15T18:15:08.404Z",
"dateUpdated": "2025-12-17T18:51:08.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68475 (GCVE-0-2025-68475)
Vulnerability from cvelistv5 – Published: 2025-12-22 21:31 – Updated: 2025-12-22 21:54
VLAI
Title
Fedify has ReDoS Vulnerability in HTML Parsing Regex
Summary
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://github.com/fedify-dev/fedify/security/adv… | x_refsource_CONFIRM |
| https://github.com/fedify-dev/fedify/commit/2bdcb… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/commit/bf2f0… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag… | x_refsource_MISC |
| https://github.com/fedify-dev/fedify/releases/tag/1.9.2 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fedify-dev | fedify |
Affected:
< 1.6.13
Affected: >= 1.7.0, < 1.7.14 Affected: >= 1.8.0, < 1.8.15 Affected: >= 1.9.0, < 1.9.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68475",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-22T21:54:29.525857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T21:54:45.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fedify",
"vendor": "fedify-dev",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.13"
},
{
"status": "affected",
"version": "\u003e= 1.7.0, \u003c 1.7.14"
},
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.8.15"
},
{
"status": "affected",
"version": "\u003e= 1.9.0, \u003c 1.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify\u0027s document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T21:31:20.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93"
},
{
"name": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/commit/2bdcb24d7d6d5886e0214ed504b63a6dc5488779"
},
{
"name": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/commit/bf2f0783634efed2663d1b187dc55461ee1f987a"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.6.13"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.7.14"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.8.15"
},
{
"name": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fedify-dev/fedify/releases/tag/1.9.2"
}
],
"source": {
"advisory": "GHSA-rchf-xwx2-hm93",
"discovery": "UNKNOWN"
},
"title": "Fedify has ReDoS Vulnerability in HTML Parsing Regex"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68475",
"datePublished": "2025-12-22T21:31:20.314Z",
"dateReserved": "2025-12-18T13:52:15.491Z",
"dateUpdated": "2025-12-22T21:54:45.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-69873 (GCVE-0-2025-69873)
Vulnerability from cvelistv5 – Published: 2026-02-11 00:00 – Updated: 2026-03-03 17:25
VLAI
Summary
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
6 references
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-69873",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T15:13:03.482882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T17:25:31.651Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ajv",
"vendor": "ajv.js",
"versions": [
{
"lessThan": "6.14.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.17.2",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.14.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.17.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T20:22:25.698Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6"
},
{
"url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md"
},
{
"url": "https://github.com/github/advisory-database/pull/6991"
},
{
"url": "https://github.com/ajv-validator/ajv/pull/2588"
},
{
"url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0"
},
{
"url": "https://github.com/ajv-validator/ajv/pull/2590"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-69873",
"datePublished": "2026-02-11T00:00:00.000Z",
"dateReserved": "2026-01-09T00:00:00.000Z",
"dateUpdated": "2026-03-03T17:25:31.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6998 (GCVE-0-2025-6998)
Vulnerability from cvelistv5 – Published: 2025-07-24 19:39 – Updated: 2025-07-25 13:17
VLAI
Title
Calibre Web 0.6.24 & Autocaliweb 0.7.0 - ReDoS
Summary
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://fluidattacks.com/advisories/megadeth | third-party-advisory |
| https://github.com/janeczku/calibre-web | product |
| https://github.com/gelbphoenix/autocaliweb | product |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Calibre Web | Calibre Web |
Affected:
0.6.24
(custom)
|
|
| Autocaliweb | Autocaliweb |
Affected:
0.7.0 , < 0.7.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6998",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-24T19:50:08.633333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T19:50:16.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Calibre Web",
"vendor": "Calibre Web",
"versions": [
{
"status": "affected",
"version": "0.6.24",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"Linux"
],
"product": "Autocaliweb",
"vendor": "Autocaliweb",
"versions": [
{
"lessThan": "0.7.1",
"status": "affected",
"version": "0.7.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:calibre_web:calibre_web:0.6.24:*:linux:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:autocaliweb:autocaliweb:*:*:linux:*:*:*:*:*",
"versionEndExcluding": "0.7.1",
"versionStartIncluding": "0.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eReDoS in strip_whitespaces() function in cps/string_helper.py\u003c/span\u003e in Calibre Web and Autocaliweb allows\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eunauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u0026nbsp;\u003c/span\u003eThis issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."
}
],
"value": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows\u00a0unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login.\u00a0This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1."
}
],
"impacts": [
{
"capecId": "CAPEC-492",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-492 Regular Expression Exponential Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T13:17:33.295Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://fluidattacks.com/advisories/megadeth"
},
{
"tags": [
"product"
],
"url": "https://github.com/janeczku/calibre-web"
},
{
"tags": [
"product"
],
"url": "https://github.com/gelbphoenix/autocaliweb"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Calibre Web 0.6.24 \u0026 Autocaliweb 0.7.0 - ReDoS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2025-6998",
"datePublished": "2025-07-24T19:39:17.709Z",
"dateReserved": "2025-07-01T23:26:57.856Z",
"dateUpdated": "2025-07-25T13:17:33.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7074 (GCVE-0-2025-7074)
Vulnerability from cvelistv5 – Published: 2025-07-05 09:02 – Updated: 2025-07-07 16:06
VLAI
Title
vercel hyper rimraf-standalone.js ignoreMap redos
Summary
A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.314973 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.314973 | signaturepermissions-required |
| https://vuldb.com/?submit.602353 | third-party-advisory |
| https://github.com/vercel/hyper/issues/8098 | exploitissue-tracking |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7074",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-07T16:06:51.371292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T16:06:53.818Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/vercel/hyper/issues/8098"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hyper",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "3.4.0"
},
{
"status": "affected",
"version": "3.4.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in vercel hyper bis 3.4.1 entdeckt. Sie wurde als problematisch eingestuft. Dabei betrifft es die Funktion expand/braceExpand/ignoreMap der Datei hyper/bin/rimraf-standalone.js. Durch Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-05T09:02:05.339Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-314973 | vercel hyper rimraf-standalone.js ignoreMap redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.314973"
},
{
"name": "VDB-314973 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.314973"
},
{
"name": "Submit #602353 | vercel hyper \u003e=18.2.79 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.602353"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/vercel/hyper/issues/8098"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-04T18:52:51.000Z",
"value": "VulDB entry last update"
}
],
"title": "vercel hyper rimraf-standalone.js ignoreMap redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-7074",
"datePublished": "2025-07-05T09:02:05.339Z",
"dateReserved": "2025-07-04T16:47:23.277Z",
"dateUpdated": "2025-07-07T16:06:53.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7579 (GCVE-0-2025-7579)
Vulnerability from cvelistv5 – Published: 2025-07-14 06:14 – Updated: 2025-07-14 13:08
VLAI
Title
chinese-poetry server.js redos
Summary
A vulnerability was found in chinese-poetry 0.1. It has been rated as problematic. This issue affects some unknown processing of the file rank/server.js. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.316277 | vdb-entry |
| https://vuldb.com/?ctiid.316277 | signaturepermissions-required |
| https://vuldb.com/?submit.609704 | third-party-advisory |
| https://github.com/chinese-poetry/chinese-poetry/… | issue-tracking |
| https://github.com/chinese-poetry/chinese-poetry/… | exploitissue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | chinese-poetry |
Affected:
0.1
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7579",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T13:05:33.108252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T13:08:00.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chinese-poetry",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in chinese-poetry 0.1. It has been rated as problematic. This issue affects some unknown processing of the file rank/server.js. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in chinese-poetry 0.1 ausgemacht. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Datei rank/server.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk passieren. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T06:14:06.008Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-316277 | chinese-poetry server.js redos",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/?id.316277"
},
{
"name": "VDB-316277 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.316277"
},
{
"name": "Submit #609704 | chinese-poetry \u003c=v0.1 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.609704"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/chinese-poetry/chinese-poetry/issues/396"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/chinese-poetry/chinese-poetry/issues/396#issue-3204562392"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-13T09:55:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "chinese-poetry server.js redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-7579",
"datePublished": "2025-07-14T06:14:06.008Z",
"dateReserved": "2025-07-13T07:50:03.655Z",
"dateUpdated": "2025-07-14T13:08:00.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8262 (GCVE-0-2025-8262)
Vulnerability from cvelistv5 – Published: 2025-07-28 07:02 – Updated: 2025-07-28 17:16
VLAI
Title
yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos
Summary
A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.317850 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.317850 | signaturepermissions-required |
| https://vuldb.com/?submit.617393 | third-party-advisory |
| https://github.com/yarnpkg/yarn/pull/9199 | issue-tracking |
| https://github.com/yarnpkg/yarn/pull/9199/commits… | issue-trackingpatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yarnpkg | Yarn |
Affected:
1.22.0
Affected: 1.22.1 Affected: 1.22.2 Affected: 1.22.3 Affected: 1.22.4 Affected: 1.22.5 Affected: 1.22.6 Affected: 1.22.7 Affected: 1.22.8 Affected: 1.22.9 Affected: 1.22.10 Affected: 1.22.11 Affected: 1.22.12 Affected: 1.22.13 Affected: 1.22.14 Affected: 1.22.15 Affected: 1.22.16 Affected: 1.22.17 Affected: 1.22.18 Affected: 1.22.19 Affected: 1.22.20 Affected: 1.22.21 Affected: 1.22.22 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8262",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T17:13:41.425895Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T17:16:45.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "yarnpkg",
"versions": [
{
"status": "affected",
"version": "1.22.0"
},
{
"status": "affected",
"version": "1.22.1"
},
{
"status": "affected",
"version": "1.22.2"
},
{
"status": "affected",
"version": "1.22.3"
},
{
"status": "affected",
"version": "1.22.4"
},
{
"status": "affected",
"version": "1.22.5"
},
{
"status": "affected",
"version": "1.22.6"
},
{
"status": "affected",
"version": "1.22.7"
},
{
"status": "affected",
"version": "1.22.8"
},
{
"status": "affected",
"version": "1.22.9"
},
{
"status": "affected",
"version": "1.22.10"
},
{
"status": "affected",
"version": "1.22.11"
},
{
"status": "affected",
"version": "1.22.12"
},
{
"status": "affected",
"version": "1.22.13"
},
{
"status": "affected",
"version": "1.22.14"
},
{
"status": "affected",
"version": "1.22.15"
},
{
"status": "affected",
"version": "1.22.16"
},
{
"status": "affected",
"version": "1.22.17"
},
{
"status": "affected",
"version": "1.22.18"
},
{
"status": "affected",
"version": "1.22.19"
},
{
"status": "affected",
"version": "1.22.20"
},
{
"status": "affected",
"version": "1.22.21"
},
{
"status": "affected",
"version": "1.22.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in yarnpkg Yarn bis 1.22.22 ausgemacht. Es betrifft die Funktion explodeHostedGitFragment der Datei src/resolvers/exotics/hosted-git-resolver.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Patch wird als 97731871e674bf93bcbf29e9d3258da8685f3076 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T07:02:05.616Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-317850 | yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.317850"
},
{
"name": "VDB-317850 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.317850"
},
{
"name": "Submit #617393 | Yarn v1.22.22 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.617393"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yarnpkg/yarn/pull/9199"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-26T18:29:39.000Z",
"value": "VulDB entry last update"
}
],
"title": "yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8262",
"datePublished": "2025-07-28T07:02:05.616Z",
"dateReserved": "2025-07-26T16:24:06.079Z",
"dateUpdated": "2025-07-28T17:16:45.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9308 (GCVE-0-2025-9308)
Vulnerability from cvelistv5 – Published: 2025-08-21 16:02 – Updated: 2025-08-21 17:32 Unsupported When Assigned
VLAI
Title
yarnpkg Yarn request-manager.js setOptions redos
Summary
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.320913 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.320913 | signaturepermissions-required |
| https://vuldb.com/?submit.633486 | third-party-advisory |
| https://github.com/yarnpkg/yarn/pull/9203 | issue-tracking |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yarnpkg | Yarn |
Affected:
1.22.0
Affected: 1.22.1 Affected: 1.22.2 Affected: 1.22.3 Affected: 1.22.4 Affected: 1.22.5 Affected: 1.22.6 Affected: 1.22.7 Affected: 1.22.8 Affected: 1.22.9 Affected: 1.22.10 Affected: 1.22.11 Affected: 1.22.12 Affected: 1.22.13 Affected: 1.22.14 Affected: 1.22.15 Affected: 1.22.16 Affected: 1.22.17 Affected: 1.22.18 Affected: 1.22.19 Affected: 1.22.20 Affected: 1.22.21 Affected: 1.22.22 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9308",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-21T17:24:36.331263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T17:32:14.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/yarnpkg/yarn/pull/9203"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Yarn",
"vendor": "yarnpkg",
"versions": [
{
"status": "affected",
"version": "1.22.0"
},
{
"status": "affected",
"version": "1.22.1"
},
{
"status": "affected",
"version": "1.22.2"
},
{
"status": "affected",
"version": "1.22.3"
},
{
"status": "affected",
"version": "1.22.4"
},
{
"status": "affected",
"version": "1.22.5"
},
{
"status": "affected",
"version": "1.22.6"
},
{
"status": "affected",
"version": "1.22.7"
},
{
"status": "affected",
"version": "1.22.8"
},
{
"status": "affected",
"version": "1.22.9"
},
{
"status": "affected",
"version": "1.22.10"
},
{
"status": "affected",
"version": "1.22.11"
},
{
"status": "affected",
"version": "1.22.12"
},
{
"status": "affected",
"version": "1.22.13"
},
{
"status": "affected",
"version": "1.22.14"
},
{
"status": "affected",
"version": "1.22.15"
},
{
"status": "affected",
"version": "1.22.16"
},
{
"status": "affected",
"version": "1.22.17"
},
{
"status": "affected",
"version": "1.22.18"
},
{
"status": "affected",
"version": "1.22.19"
},
{
"status": "affected",
"version": "1.22.20"
},
{
"status": "affected",
"version": "1.22.21"
},
{
"status": "affected",
"version": "1.22.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "mmmsssttt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in yarnpkg Yarn bis 1.22.22 entdeckt. Betroffen hiervon ist die Funktion setOptions der Datei src/util/request-manager.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff muss auf lokaler Ebene erfolgen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T16:02:12.172Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-320913 | yarnpkg Yarn request-manager.js setOptions redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.320913"
},
{
"name": "VDB-320913 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.320913"
},
{
"name": "Submit #633486 | yarn Yarn src/util/request-manager.js v1.22.22 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.633486"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/yarnpkg/yarn/pull/9203"
}
],
"tags": [
"unsupported-when-assigned"
],
"timeline": [
{
"lang": "en",
"time": "2025-08-21T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-08-21T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-08-21T08:03:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "yarnpkg Yarn request-manager.js setOptions redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-9308",
"datePublished": "2025-08-21T16:02:12.172Z",
"dateReserved": "2025-08-21T05:58:24.411Z",
"dateUpdated": "2025-08-21T17:32:14.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Architecture and Design
Description:
- Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Phase: System Configuration
Description:
- Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Phase: Implementation
Description:
- Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Phase: Implementation
Description:
- Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.