Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

CVE-2025-43764 (GCVE-0-2025-43764)

Vulnerability from cvelistv5 – Published: 2025-08-23 04:49 – Updated: 2025-08-25 18:44
VLAI
Summary
Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
Liferay Portal Affected: 7.4.3.0 , ≤ 7.4.3.131 (maven)
Create a notification for this product.
Liferay DXP Affected: 7.4.13 , ≤ 7.4.13-u92 (maven)
Affected: 2024.Q1.1 , ≤ 2024.Q1.20 (maven)
Affected: 2024.Q2.1 , ≤ 2024.Q2.13 (maven)
Affected: 2024.Q3.0 , ≤ 2024.Q3.13 (maven)
Affected: 2024.Q4.0 , ≤ 2024.Q4.1 (maven)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43764",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-25T18:44:14.273754Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-25T18:44:21.917Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Portal",
          "vendor": "Liferay",
          "versions": [
            {
              "lessThanOrEqual": "7.4.3.131",
              "status": "affected",
              "version": "7.4.3.0",
              "versionType": "maven"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "DXP",
          "vendor": "Liferay",
          "versions": [
            {
              "lessThanOrEqual": "7.4.13-u92",
              "status": "affected",
              "version": "7.4.13",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "2024.Q1.20",
              "status": "affected",
              "version": "2024.Q1.1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "2024.Q2.13",
              "status": "affected",
              "version": "2024.Q2.1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "2024.Q3.13",
              "status": "affected",
              "version": "2024.Q3.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "2024.Q4.1",
              "status": "affected",
              "version": "2024.Q4.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time."
            }
          ],
          "value": "Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-23T04:49:59.172Z",
        "orgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
        "shortName": "Liferay"
      },
      "references": [
        {
          "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43764"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8b54e794-c6f0-462e-9faa-c1001a673ac3",
    "assignerShortName": "Liferay",
    "cveId": "CVE-2025-43764",
    "datePublished": "2025-08-23T04:49:59.172Z",
    "dateReserved": "2025-04-17T10:55:26.804Z",
    "dateUpdated": "2025-08-25T18:44:21.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-33090 (GCVE-0-2025-33090)

Vulnerability from cvelistv5 – Published: 2025-08-18 14:01 – Updated: 2025-08-18 14:09
VLAI
Title
IBM Concert Software denial of service
Summary
IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7242354 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Concert Software Affected: 1.0.0 , ≤ 1.1.0 (semver)
    cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:concert:1.0.1:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-33090",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-18T14:09:07.046735Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-18T14:09:20.940Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:concert:1.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:concert:1.0.1:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "Concert Software",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "1.1.0",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption."
            }
          ],
          "value": "IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-18T14:01:32.418Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7242354"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IBM Concert Software denial of service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-33090",
    "datePublished": "2025-08-18T14:01:32.418Z",
    "dateReserved": "2025-04-15T17:50:31.397Z",
    "dateUpdated": "2025-08-18T14:09:20.940Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27789 (GCVE-0-2025-27789)

Vulnerability from cvelistv5 – Published: 2025-03-11 19:09 – Updated: 2025-03-11 19:53
VLAI
Title
Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
Summary
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
Vendor Product Version
babel babel Affected: < 7.26.10
Affected: >= 8.0.0-alpha.0, < 8.0.0-alpha.17
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27789",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-11T19:53:22.902147Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-11T19:53:42.811Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "babel",
          "vendor": "babel",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.26.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0-alpha.0, \u003c 8.0.0-alpha.17"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It\u0027s likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-11T19:09:28.146Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8"
        },
        {
          "name": "https://github.com/babel/babel/pull/17173",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/babel/babel/pull/17173"
        }
      ],
      "source": {
        "advisory": "GHSA-968p-4wvh-cqc8",
        "discovery": "UNKNOWN"
      },
      "title": "Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-27789",
    "datePublished": "2025-03-11T19:09:28.146Z",
    "dateReserved": "2025-03-06T18:06:54.462Z",
    "dateUpdated": "2025-03-11T19:53:42.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-27220 (GCVE-0-2025-27220)

Vulnerability from cvelistv5 – Published: 2025-03-03 00:00 – Updated: 2025-11-03 21:13
VLAI
Summary
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
ruby-lang CGI Affected: 0 , < 0.3.5.1 (custom)
Affected: 0.3.6 , < 0.3.7 (custom)
Affected: 0.4.0 , < 0.4.2 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-27220",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-04T16:39:36.614961Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-04T16:40:22.900Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:13:25.250Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CGI",
          "vendor": "ruby-lang",
          "versions": [
            {
              "lessThan": "0.3.5.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "0.3.7",
              "status": "affected",
              "version": "0.3.6",
              "versionType": "custom"
            },
            {
              "lessThan": "0.4.2",
              "status": "affected",
              "version": "0.4.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.3.5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.3.7",
                  "versionStartIncluding": "0.3.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.4.2",
                  "versionStartIncluding": "0.4.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-03T23:46:21.977Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://hackerone.com/reports/2890322"
        },
        {
          "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-27220",
    "datePublished": "2025-03-03T00:00:00.000Z",
    "dateReserved": "2025-02-20T00:00:00.000Z",
    "dateUpdated": "2025-11-03T21:13:25.250Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-25290 (GCVE-0-2025-25290)

Vulnerability from cvelistv5 – Published: 2025-02-14 19:37 – Updated: 2026-01-16 17:29
VLAI
Title
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
octokit request.js Affected: >= 1.0.0, < 9.2.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25290",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T20:04:29.499678Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T20:04:42.662Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "request.js",
          "vendor": "octokit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 9.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@octokit/request sends parameterized requests to GitHub\u2019s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/\u003c([^\u003e]+)\u003e; rel=\"deprecation\"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex\u0027s matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-16T17:29:06.418Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38"
        },
        {
          "name": "https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68"
        },
        {
          "name": "https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2"
        },
        {
          "name": "https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c"
        },
        {
          "name": "https://github.com/octokit/request.js/releases/tag/v8.4.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request.js/releases/tag/v8.4.1"
        },
        {
          "name": "https://github.com/octokit/request.js/releases/tag/v9.2.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request.js/releases/tag/v9.2.1"
        }
      ],
      "source": {
        "advisory": "GHSA-rmvr-2pp2-xj38",
        "discovery": "UNKNOWN"
      },
      "title": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25290",
    "datePublished": "2025-02-14T19:37:47.110Z",
    "dateReserved": "2025-02-06T17:13:33.122Z",
    "dateUpdated": "2026-01-16T17:29:06.418Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-25289 (GCVE-0-2025-25289)

Vulnerability from cvelistv5 – Published: 2025-02-14 19:35 – Updated: 2025-02-14 20:08
VLAI
Title
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
octokit request-error.js Affected: >= 1.0.0, < 6.1.7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25289",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T20:08:24.260356Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T20:08:32.674Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "request-error.js",
          "vendor": "octokit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 6.1.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and \"@\", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T19:35:19.998Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/octokit/request-error.js/security/advisories/GHSA-xx4v-prfh-6cgc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/octokit/request-error.js/security/advisories/GHSA-xx4v-prfh-6cgc"
        },
        {
          "name": "https://github.com/octokit/request-error.js/commit/d558320874a4bc8d356babf1079e6f0056a59b9e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request-error.js/commit/d558320874a4bc8d356babf1079e6f0056a59b9e"
        },
        {
          "name": "https://github.com/octokit/request-error.js/blob/main/src/index.ts",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/request-error.js/blob/main/src/index.ts"
        }
      ],
      "source": {
        "advisory": "GHSA-xx4v-prfh-6cgc",
        "discovery": "UNKNOWN"
      },
      "title": "@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25289",
    "datePublished": "2025-02-14T19:35:19.998Z",
    "dateReserved": "2025-02-06T17:13:33.122Z",
    "dateUpdated": "2025-02-14T20:08:32.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25288 (GCVE-0-2025-25288)

Vulnerability from cvelistv5 – Published: 2025-02-14 19:33 – Updated: 2025-02-14 20:18
VLAI
Title
@octokit/plugin-paginate-rest has a Regular Expression in iterator that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
octokit plugin-paginate-rest.js Affected: >= 1.0.0, < 11.4.1
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25288",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T20:18:16.720034Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T20:18:26.404Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "plugin-paginate-rest.js",
          "vendor": "octokit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 11.4.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance\u2014particularly with a malicious `link` parameter in the `headers` section of the `request`\u2014can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T19:33:43.428Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8q"
        },
        {
          "name": "https://github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044ab",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044ab"
        },
        {
          "name": "https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts"
        }
      ],
      "source": {
        "advisory": "GHSA-h5c3-5r3r-rr8q",
        "discovery": "UNKNOWN"
      },
      "title": "@octokit/plugin-paginate-rest has a Regular Expression in iterator that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25288",
    "datePublished": "2025-02-14T19:33:43.428Z",
    "dateReserved": "2025-02-06T17:13:33.122Z",
    "dateUpdated": "2025-02-14T20:18:26.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25285 (GCVE-0-2025-25285)

Vulnerability from cvelistv5 – Published: 2025-02-14 19:31 – Updated: 2025-02-14 19:44
VLAI
Title
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
octokit endpoint.js Affected: >= 4.1.0, < 10.1.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25285",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-14T19:42:58.912811Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-14T19:44:09.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "endpoint.js",
          "vendor": "octokit",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.1.0, \u003c 10.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-14T19:31:44.827Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
        },
        {
          "name": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
        },
        {
          "name": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
        }
      ],
      "source": {
        "advisory": "GHSA-x4c5-c7rf-jjgv",
        "discovery": "UNKNOWN"
      },
      "title": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25285",
    "datePublished": "2025-02-14T19:31:44.827Z",
    "dateReserved": "2025-02-06T17:13:33.121Z",
    "dateUpdated": "2025-02-14T19:44:09.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25283 (GCVE-0-2025-25283)

Vulnerability from cvelistv5 – Published: 2025-02-12 18:21 – Updated: 2025-02-12 19:25
VLAI
Title
parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory
Summary
parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains a patch.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
jkroso parse-duration Affected: < 2.1.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25283",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T19:25:33.773917Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T19:25:45.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "parse-duration",
          "vendor": "jkroso",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-12T18:21:48.693Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jkroso/parse-duration/security/advisories/GHSA-hcrg-fc28-fcg5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jkroso/parse-duration/security/advisories/GHSA-hcrg-fc28-fcg5"
        },
        {
          "name": "https://github.com/jkroso/parse-duration/commit/9e88421bfd41806fa4b473bfb28a9ee9dafc27d7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jkroso/parse-duration/commit/9e88421bfd41806fa4b473bfb28a9ee9dafc27d7"
        },
        {
          "name": "https://github.com/jkroso/parse-duration/releases/tag/v2.1.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jkroso/parse-duration/releases/tag/v2.1.3"
        }
      ],
      "source": {
        "advisory": "GHSA-hcrg-fc28-fcg5",
        "discovery": "UNKNOWN"
      },
      "title": "parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25283",
    "datePublished": "2025-02-12T18:21:48.693Z",
    "dateReserved": "2025-02-06T17:13:33.121Z",
    "dateUpdated": "2025-02-12T19:25:45.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-25200 (GCVE-0-2025-25200)

Vulnerability from cvelistv5 – Published: 2025-02-12 17:59 – Updated: 2025-02-12 19:29
VLAI
Title
Koa has Inefficient Regular Expression Complexity
Summary
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1333 - Inefficient Regular Expression Complexity
Assigner
Impacted products
Vendor Product Version
koajs koa Affected: < 0.21.2
Affected: >= 1.0.0, < 1.7.1
Affected: >= 2.0.0-alpha.1, < 2.15.4
Affected: >= 3.0.0-alpha.0, < < 3.0.0-alpha.3
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-25200",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T18:33:35.286450Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T19:29:10.232Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "koa",
          "vendor": "koajs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.21.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.7.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0-alpha.1, \u003c 2.15.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0-alpha.0, \u003c \u003c 3.0.0-alpha.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-12T17:59:04.615Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"
        },
        {
          "name": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"
        },
        {
          "name": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"
        },
        {
          "name": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"
        },
        {
          "name": "https://github.com/koajs/koa/blob/master/lib/request.js#L259",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259"
        },
        {
          "name": "https://github.com/koajs/koa/blob/master/lib/request.js#L404",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404"
        },
        {
          "name": "https://github.com/koajs/koa/releases/tag/2.15.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/koajs/koa/releases/tag/2.15.4"
        }
      ],
      "source": {
        "advisory": "GHSA-593f-38f6-jp5m",
        "discovery": "UNKNOWN"
      },
      "title": "Koa has Inefficient Regular Expression Complexity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-25200",
    "datePublished": "2025-02-12T17:59:04.615Z",
    "dateReserved": "2025-02-03T19:30:53.400Z",
    "dateUpdated": "2025-02-12T19:29:10.232Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.