CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-27V5-C462-WPQ7
Vulnerability from github – Published: 2026-03-27 22:23 – Updated: 2026-03-27 22:23Impact
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
Unsafe examples:
/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y
Safe examples:
/*foo-:bar
/*foo-:bar-*baz
Patches
Upgrade to version 8.4.0.
Workarounds
If developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "path-to-regexp"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4923"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T22:23:52Z",
"nvd_published_at": "2026-03-26T19:17:08Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.\n\n**Unsafe examples:**\n\n```\n/*foo-*bar-:baz\n/*a-:b-*c-:d\n/x/*a-:b/*c/y\n```\n\n**Safe examples:**\n\n```\n/*foo-:bar\n/*foo-:bar-*baz\n```\n\n### Patches\n\nUpgrade to version `8.4.0`.\n\n### Workarounds\n\nIf developers are using multiple wildcard parameters, they can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.",
"id": "GHSA-27v5-c462-wpq7",
"modified": "2026-03-27T22:23:52Z",
"published": "2026-03-27T22:23:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-27v5-c462-wpq7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/pillarjs/path-to-regexp"
},
{
"type": "WEB",
"url": "https://makenowjust-labs.github.io/recheck/playground"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards"
}
GHSA-28J9-FQ4C-QRQG
Vulnerability from github – Published: 2024-06-13 00:31 – Updated: 2024-06-13 00:31An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.
{
"affected": [],
"aliases": [
"CVE-2024-1736"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T23:15:49Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab\u0027s CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files.",
"id": "GHSA-28j9-fq4c-qrqg",
"modified": "2024-06-13T00:31:23Z",
"published": "2024-06-13T00:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1736"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2358689"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-ci-interpolation-fix-bypass"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/442695"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-28V4-JF82-JVJ8
Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2022-09-21 21:07A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal via the source and sourceWithComments variable in main.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "steal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37262"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T21:07:52Z",
"nvd_published_at": "2022-09-15T16:15:00Z",
"severity": "HIGH"
},
"details": "A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal via the source and sourceWithComments variable in main.js.",
"id": "GHSA-28v4-jf82-jvj8",
"modified": "2022-09-21T21:07:52Z",
"published": "2022-09-16T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37262"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/issues/1531"
},
{
"type": "PACKAGE",
"url": "https://github.com/stealjs/steal"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L3497"
},
{
"type": "WEB",
"url": "https://github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L3507"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "steal vulnerable to Regular Expression Denial of Service via source and sourceWithComments"
}
GHSA-29MW-WPGM-HMR9
Vulnerability from github – Published: 2022-01-06 20:30 – Updated: 2025-09-29 20:19All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Steps to reproduce (provided by reporter Liyuan Chen):
var lo = require('lodash');
function build_blank(n) {
var ret = "1"
for (var i = 0; i < n; i++) {
ret += " "
}
return ret + "1";
}
var s = build_blank(50000) var time0 = Date.now();
lo.trim(s)
var time_cost0 = Date.now() - time0;
console.log("time_cost0: " + time_cost0);
var time1 = Date.now();
lo.toNumber(s) var time_cost1 = Date.now() - time1;
console.log("time_cost1: " + time_cost1);
var time2 = Date.now();
lo.trimEnd(s);
var time_cost2 = Date.now() - time2;
console.log("time_cost2: " + time_cost2);
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "lodash"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.17.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash-es"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.17.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.trimend"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "lodash.trim"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"last_affected": "4.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "lodash-rails"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.17.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-28500"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-19T22:45:28Z",
"nvd_published_at": "2021-02-15T11:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \n\nSteps to reproduce (provided by reporter Liyuan Chen):\n```js\nvar lo = require(\u0027lodash\u0027);\n\nfunction build_blank(n) {\n var ret = \"1\"\n for (var i = 0; i \u003c n; i++) {\n ret += \" \"\n }\n return ret + \"1\";\n}\nvar s = build_blank(50000) var time0 = Date.now();\nlo.trim(s) \nvar time_cost0 = Date.now() - time0;\nconsole.log(\"time_cost0: \" + time_cost0);\nvar time1 = Date.now();\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\nconsole.log(\"time_cost1: \" + time_cost1);\nvar time2 = Date.now();\nlo.trimEnd(s);\nvar time_cost2 = Date.now() - time2;\nconsole.log(\"time_cost2: \" + time_cost2);\n```",
"id": "GHSA-29mw-wpgm-hmr9",
"modified": "2025-09-29T20:19:45Z",
"published": "2022-01-06T20:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/6139"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/pull/5065"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210312-0006"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml"
},
{
"type": "WEB",
"url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8"
},
{
"type": "PACKAGE",
"url": "https://github.com/lodash/lodash"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service (ReDoS) in lodash"
}
GHSA-2C8V-3247-5W53
Vulnerability from github – Published: 2022-10-01 00:00 – Updated: 2022-10-06 00:00Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2022-34428"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-30T20:15:00Z",
"severity": "LOW"
},
"details": "Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.",
"id": "GHSA-2c8v-3247-5w53",
"modified": "2022-10-06T00:00:56Z",
"published": "2022-10-01T00:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34428"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000203345/dsa-2022-260-dell-hybrid-client-security-update-for-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-2G4F-4PWH-QVX6
Vulnerability from github – Published: 2026-02-11 21:30 – Updated: 2026-03-02 21:58ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ajv"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-alpha.0"
},
{
"fixed": "8.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "ajv"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.14.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-69873"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T16:38:57Z",
"nvd_published_at": "2026-02-11T19:15:50Z",
"severity": "MODERATE"
},
"details": "ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\\\"^(a|a)*$\\\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation.",
"id": "GHSA-2g4f-4pwh-qvx6",
"modified": "2026-03-02T21:58:39Z",
"published": "2026-02-11T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/pull/2586"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/pull/2588"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/pull/2590"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/6991"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5"
},
{
"type": "WEB",
"url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6"
},
{
"type": "PACKAGE",
"url": "https://github.com/ajv-validator/ajv"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0"
},
{
"type": "WEB",
"url": "https://github.com/ajv-validator/ajv/releases/tag/v8.18.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "ajv has ReDoS when using `$data` option"
}
GHSA-2G7M-PH9X-7Q7M
Vulnerability from github – Published: 2025-07-24 21:30 – Updated: 2025-07-28 14:53ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "calibreweb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.24"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6998"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-28T14:53:43Z",
"nvd_published_at": "2025-07-24T20:15:27Z",
"severity": "HIGH"
},
"details": "ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.",
"id": "GHSA-2g7m-ph9x-7q7m",
"modified": "2025-07-28T14:53:43Z",
"published": "2025-07-24T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6998"
},
{
"type": "WEB",
"url": "https://fluidattacks.com/advisories/megadeth"
},
{
"type": "WEB",
"url": "https://github.com/gelbphoenix/autocaliweb"
},
{
"type": "PACKAGE",
"url": "https://github.com/janeczku/calibre-web"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Calibre Web and Autocaliweb have a ReDoS vulnerability"
}
GHSA-2HHC-F86X-X74F
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2023-10-26 20:49A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn't interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.24.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16555"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-01T22:49:28Z",
"nvd_published_at": "2019-12-17T15:15:00Z",
"severity": "MODERATE"
},
"details": "A user-supplied regular expression in Jenkins Build Failure Analyzer Plugin 1.24.1 and earlier was processed in a way that wasn\u0027t interruptible, allowing attackers to have Jenkins evaluate a regular expression without the ability to interrupt this process.",
"id": "GHSA-2hhc-f86x-x74f",
"modified": "2023-10-26T20:49:01Z",
"published": "2022-05-24T17:03:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16555"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/build-failure-analyzer-plugin/commit/f316c885552ac75289cbb11b2af5757f18784bcb"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1651"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in Jenkins Build Failure Analyzer Plugin"
}
GHSA-2J79-8PQC-R7X6
Vulnerability from github – Published: 2022-10-01 00:00 – Updated: 2023-04-12 20:46The package react-native-reanimated before 2.10.0 is vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "react-native-reanimated"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.10.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24373"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-04T21:16:38Z",
"nvd_published_at": "2022-09-30T05:15:00Z",
"severity": "HIGH"
},
"details": "The package react-native-reanimated before 2.10.0 is vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js.",
"id": "GHSA-2j79-8pqc-r7x6",
"modified": "2023-04-12T20:46:47Z",
"published": "2022-10-01T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24373"
},
{
"type": "WEB",
"url": "https://github.com/software-mansion/react-native-reanimated/pull/3382"
},
{
"type": "WEB",
"url": "https://github.com/software-mansion/react-native-reanimated/pull/3382/commits/7adf06d0c59382d884a04be86a96eede3d0432fa"
},
{
"type": "WEB",
"url": "https://github.com/software-mansion/react-native-reanimated/commit/8a927904366fa2d02df7a11553f8b0aa93471279"
},
{
"type": "PACKAGE",
"url": "https://github.com/software-mansion/react-native-reanimated"
},
{
"type": "WEB",
"url": "https://github.com/software-mansion/react-native-reanimated/compare/2.9.1...2.10.0"
},
{
"type": "WEB",
"url": "https://github.com/software-mansion/react-native-reanimated/releases/tag/3.0.0-rc.1"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-REACTNATIVEREANIMATED-2949507"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "react-native-reanimated vulnerable to ReDoS"
}
GHSA-2P9H-CCW7-33GF
Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2026-07-02 20:40An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "cleo"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0a1"
},
{
"fixed": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42966"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-10T18:52:40Z",
"nvd_published_at": "2022-11-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.",
"id": "GHSA-2p9h-ccw7-33gf",
"modified": "2026-07-02T20:40:18Z",
"published": "2022-11-10T12:01:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42966"
},
{
"type": "WEB",
"url": "https://github.com/python-poetry/cleo/pull/285"
},
{
"type": "WEB",
"url": "https://github.com/python-poetry/cleo/commit/b5b9a04d2caf58bf7cf94eb7ae4a1ebbe60ea455"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-2p9h-ccw7-33gf"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/cleo/PYSEC-2022-43178.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-poetry/cleo"
},
{
"type": "WEB",
"url": "https://github.com/python-poetry/cleo/releases/tag/2.0.0"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "cleo is vulnerable to Regular Expression Denial of Service (ReDoS)"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.