CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-35PF-5R93-C5JC
Vulnerability from github – Published: 2026-02-25 21:31 – Updated: 2026-02-25 21:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.
{
"affected": [],
"aliases": [
"CVE-2026-1388"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T21:16:36Z",
"severity": "HIGH"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthenticated user to cause regular expression denial of service by sending specially crafted input to a merge request endpoint under certain conditions.",
"id": "GHSA-35pf-5r93-c5jc",
"modified": "2026-02-25T21:31:19Z",
"published": "2026-02-25T21:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1388"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3482893"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/587560"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3653-68V6-RQ57
Vulnerability from github – Published: 2026-05-18 20:23 – Updated: 2026-05-18 20:23Summary
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions directly to Java's Pattern.compile() and String.replaceAll() without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.
Details
The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:
Entry point 1 — FHIRPathEngine.java:5929 (R5 funcMatches):
private List<Base> funcMatches(ExecutionContext context, List<Base> focus, ExpressionNode exp) {
String sw = convertToString(swb); // attacker-controlled regex pattern
// ...
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: no complexity check
Matcher m = p.matcher(st); // no timeout
boolean ok = m.find();
Entry point 2 — FHIRPathEngine.java:5951 (R5 funcMatchesFull):
Pattern p = Pattern.compile("(?s)" + sw); // VULNERABLE: same pattern
Matcher m = p.matcher(st);
boolean ok = m.matches();
Entry point 3 — FHIRPathEngine.java:5120 (R5 funcReplaceMatches):
result.add(new StringType(convertToString(focus.get(0))
.replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally
The same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.
Why this is exploitable:
- No timeout mechanism covers FHIRPath evaluation — the ValidationTimeout class only protects InstanceValidator operations, not evaluateFhirPath()
- Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity)
Impact
- CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.6"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45367"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:23:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nAll implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java\u0027s `Pattern.compile()` and `String.replaceAll()` without complexity checks or timeouts. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.\n\n## Details\n\nThe vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. For example the org.hl7.fhir.r5 module:\n\n\n**Entry point 1 \u2014 `FHIRPathEngine.java:5929` (R5 `funcMatches`):**\n```java\nprivate List\u003cBase\u003e funcMatches(ExecutionContext context, List\u003cBase\u003e focus, ExpressionNode exp) {\n String sw = convertToString(swb); // attacker-controlled regex pattern\n // ...\n Pattern p = Pattern.compile(\"(?s)\" + sw); // VULNERABLE: no complexity check\n Matcher m = p.matcher(st); // no timeout\n boolean ok = m.find();\n```\n\n**Entry point 2 \u2014 `FHIRPathEngine.java:5951` (R5 `funcMatchesFull`):**\n```java\nPattern p = Pattern.compile(\"(?s)\" + sw); // VULNERABLE: same pattern\nMatcher m = p.matcher(st);\nboolean ok = m.matches();\n```\n\n**Entry point 3 \u2014 `FHIRPathEngine.java:5120` (R5 `funcReplaceMatches`):**\n```java\nresult.add(new StringType(convertToString(focus.get(0))\n .replaceAll(regex, repl)).noExtensions()); // VULNERABLE: replaceAll uses Pattern internally\n```\n\nThe same vulnerabilities exist in the dstu2, dstu2016may, dstu3, r4, and r4b modules, and the FHIRPathEngine is used in the validation module functionality.\n\n**Why this is exploitable:**\n- No timeout mechanism covers FHIRPath evaluation \u2014 the `ValidationTimeout` class only protects `InstanceValidator` operations, not `evaluateFhirPath()`\n- Java\u0027s `Pattern.compile()` with a pattern like `(a+)+$` against input `\"aaaaaaaaaaaaaaaaaaaaaa!\"` causes exponential backtracking (O(2^n) time complexity)\n\n\n## Impact\n\n- **CPU Exhaustion:** The exponential backtracking in Java\u0027s regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.",
"id": "GHSA-3653-68v6-rq57",
"modified": "2026-05-18T20:23:54Z",
"published": "2026-05-18T20:23:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-3653-68v6-rq57"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint"
}
GHSA-37CH-88JC-XWX2
Vulnerability from github – Published: 2026-03-27 20:04 – Updated: 2026-03-27 20:04Impact
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches
Upgrade to path-to-regexp@0.1.13
Custom regex patterns in route definitions (e.g., /:a-:b([^-/]+)-:c([^-/]+)) are not affected because they override the default capture group.
Workarounds
All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b-:c to /:a-:b([^-/]+)-:c([^-/]+).
If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "path-to-regexp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-4867"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T20:04:53Z",
"nvd_published_at": "2026-03-26T17:16:42Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b-:c` or `/:a-:b-:c-:d`. The backtrack protection added in `path-to-regexp@0.1.12` only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.\n\n### Patches\n\nUpgrade to [path-to-regexp@0.1.13](https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13)\n\nCustom regex patterns in route definitions (e.g., `/:a-:b([^-/]+)-:c([^-/]+)`) are not affected because they override the default capture group.\n\n### Workarounds\n\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b-:c` to `/:a-:b([^-/]+)-:c([^-/]+)`.\n\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length.\n\n### References\n\n- [GHSA-9wv6-86v2-598j](https://github.com/advisories/GHSA-9wv6-86v2-598j)\n- [Detailed blog post: ReDoS the web](https://blakeembrey.com/posts/2024-09-web-redos/)",
"id": "GHSA-37ch-88jc-xwx2",
"modified": "2026-03-27T20:04:53Z",
"published": "2026-03-27T20:04:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4867"
},
{
"type": "WEB",
"url": "https://blakeembrey.com/posts/2024-09-web-redos"
},
{
"type": "WEB",
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9wv6-86v2-598j"
},
{
"type": "PACKAGE",
"url": "https://github.com/pillarjs/path-to-regexp"
},
{
"type": "WEB",
"url": "https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters"
}
GHSA-37MW-44QP-F5JM
Vulnerability from github – Published: 2025-07-11 12:30 – Updated: 2025-08-07 14:55A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's token2json() method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern <s_(.*?)> which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.51.3"
},
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.52.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3933"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-11T19:55:38Z",
"nvd_published_at": "2025-07-11T10:15:22Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class\u0027s `token2json()` method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `\u003cs_(.*?)\u003e` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.",
"id": "GHSA-37mw-44qp-f5jm",
"modified": "2025-08-07T14:55:33Z",
"published": "2025-07-11T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3933"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/pull/37788"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/ebbe9b12dd75b69f92100d684c47f923ee262a93"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/25282953-5827-4384-bb6f-5790d275721b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Transformers is vulnerable to ReDoS attack through its DonutProcessor class"
}
GHSA-38C4-R59V-3VQW
Vulnerability from github – Published: 2026-02-12 06:30 – Updated: 2026-02-13 20:04Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "markdown-it"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "14.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-2327"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-13T20:04:39Z",
"nvd_published_at": "2026-02-12T06:16:02Z",
"severity": "MODERATE"
},
"details": "Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.",
"id": "GHSA-38c4-r59v-3vqw",
"modified": "2026-02-13T20:04:39Z",
"published": "2026-02-12T06:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://github.com/markdown-it/markdown-it/commit/4b4bbcae5e0990a5b172378e507b33a59012ed26"
},
{
"type": "WEB",
"url": "https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917"
},
{
"type": "PACKAGE",
"url": "https://github.com/markdown-it/markdown-it"
},
{
"type": "WEB",
"url": "https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs#L33"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-10666750"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)"
}
GHSA-38J3-6FM8-PFGC
Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2022-06-23 21:25An issue was discovered in Delight Nashorn Sandbox. There is an ReDoS vulnerability that can be exploited to launching a denial of service (DoS) attack.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.javadelight:delight-nashorn-sandbox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-40660"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-17T01:14:44Z",
"nvd_published_at": "2022-06-14T14:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Delight Nashorn Sandbox. There is an ReDoS vulnerability that can be exploited to launching a denial of service (DoS) attack.",
"id": "GHSA-38j3-6fm8-pfgc",
"modified": "2022-06-23T21:25:08Z",
"published": "2022-06-15T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40660"
},
{
"type": "WEB",
"url": "https://github.com/javadelight/delight-nashorn-sandbox/issues/117"
},
{
"type": "WEB",
"url": "https://github.com/javadelight/delight-nashorn-sandbox/issues/117#issuecomment-1564983722"
},
{
"type": "WEB",
"url": "https://github.com/javadelight/delight-nashorn-sandbox/pull/139"
},
{
"type": "WEB",
"url": "https://github.com/javadelight/delight-nashorn-sandbox/commit/b899b8ecad46090fdc042ac7683e1164114a69de"
},
{
"type": "PACKAGE",
"url": "https://github.com/javadelight/delight-nashorn-sandbox"
},
{
"type": "WEB",
"url": "https://github.com/javadelight/delight-nashorn-sandbox/releases/tag/0.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular expression denial of service in Delight Nashorn Sandbox"
}
GHSA-38M6-82C8-4XFM
Vulnerability from github – Published: 2026-05-23 00:11 – Updated: 2026-06-12 21:59Impact
An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every /parse/* request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected.
Patches
The client SDK version capture and parsing have been removed entirely. The Parse JS SDK compatibility table defines a strict version-pinned contract between Parse Server and the Parse JS SDK; server-side adaptation to client SDK version is an obsolete pattern that contradicts that contract. The vulnerable parser, the clientSDK parameter that threaded its output through routers, and the legacy code path it gated are all removed. The X-Parse-Client-Version header and _ClientVersion JSON body field are now silently ignored on every request; supported Parse SDKs are unaffected.
Workarounds
Deploy a reverse proxy or WAF in front of Parse Server that strips or strictly size-limits the X-Parse-Client-Version header AND the _ClientVersion field in JSON request bodies on every /parse/* route before forwarding to the server. A header-size cap alone is insufficient: the body-field variant requires inspection of JSON content. Upgrading to the patched version is the recommended remediation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.9.1-alpha.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.77"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47138"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-23T00:11:25Z",
"nvd_published_at": "2026-06-12T19:16:28Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAn unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before rate limiting on every `/parse/*` request, so the request consumes seconds to minutes of synchronous CPU on a Node.js worker before any access control evaluates it. A small number of concurrent requests can saturate a worker; a single large request via the body-field variant can pin a worker for minutes. Production deployments running the default configuration are affected.\n\n### Patches\n\nThe client SDK version capture and parsing have been removed entirely. The Parse JS SDK compatibility table defines a strict version-pinned contract between Parse Server and the Parse JS SDK; server-side adaptation to client SDK version is an obsolete pattern that contradicts that contract. The vulnerable parser, the `clientSDK` parameter that threaded its output through routers, and the legacy code path it gated are all removed. The `X-Parse-Client-Version` header and `_ClientVersion` JSON body field are now silently ignored on every request; supported Parse SDKs are unaffected.\n\n### Workarounds\n\nDeploy a reverse proxy or WAF in front of Parse Server that strips or strictly size-limits the `X-Parse-Client-Version` header AND the `_ClientVersion` field in JSON request bodies on every `/parse/*` route before forwarding to the server. A header-size cap alone is insufficient: the body-field variant requires inspection of JSON content. Upgrading to the patched version is the recommended remediation.",
"id": "GHSA-38m6-82c8-4xfm",
"modified": "2026-06-12T21:59:40Z",
"published": "2026-05-23T00:11:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-38m6-82c8-4xfm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47138"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10463"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10464"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server: Pre-authentication denial of service via client version header regex backtracking"
}
GHSA-3F2Q-6294-FMQ5
Vulnerability from github – Published: 2023-11-18 00:30 – Updated: 2023-11-28 23:14git-urls version 1.0.1 is vulnerable to ReDOS (Regular Expression Denial of Service) in Go package.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/whilp/git-urls"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46402"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-20T23:05:38Z",
"nvd_published_at": "2023-11-18T00:15:07Z",
"severity": "HIGH"
},
"details": "git-urls version 1.0.1 is vulnerable to ReDOS (Regular Expression Denial of Service) in Go package.",
"id": "GHSA-3f2q-6294-fmq5",
"modified": "2023-11-28T23:14:24Z",
"published": "2023-11-18T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46402"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/7c2424c93e7fbf2b6fc44e7fb9acb95d"
},
{
"type": "PACKAGE",
"url": "https://github.com/whilp/git-urls"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in git-urls"
}
GHSA-3FX5-FWVR-XRJG
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2024-08-01 16:44Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Proof of Concept
var ms = require('ms');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
ms(genstr(process.argv[2], "5") + " minutea");
Results
Showing increase in execution time based on the input string.
$ time node ms.js 10000
real 0m0.758s
user 0m0.724s
sys 0m0.031s
$ time node ms.js 20000
real 0m2.580s
user 0m2.494s
sys 0m0.047s
$ time node ms.js 30000
real 0m5.747s
user 0m5.483s
sys 0m0.080s
$ time node ms.js 80000
real 0m41.022s
user 0m38.894s
sys 0m0.529s
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2015-8315"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T20:55:05Z",
"nvd_published_at": "2017-01-23T21:59:00Z",
"severity": "HIGH"
},
"details": "Versions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n## Proof of Concept\n```javascript\nvar ms = require(\u0027ms\u0027);\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i\u003c=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n\n```\n\n### Results\nShowing increase in execution time based on the input string.\n```\n$ time node ms.js 10000\n\nreal\t0m0.758s\nuser\t0m0.724s\nsys\t0m0.031s\n\n$ time node ms.js 20000\n\nreal\t0m2.580s\nuser\t0m2.494s\nsys\t0m0.047s\n\n$ time node ms.js 30000\n\nreal\t0m5.747s\nuser\t0m5.483s\nsys\t0m0.080s\n\n$ time node ms.js 80000\n\nreal\t0m41.022s\nuser\t0m38.894s\nsys\t0m0.529s\n```\n",
"id": "GHSA-3fx5-fwvr-xrjg",
"modified": "2024-08-01T16:44:35Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8315"
},
{
"type": "WEB",
"url": "https://github.com/unshiftio/millisecond"
},
{
"type": "WEB",
"url": "https://nodesecurity.io/advisories/46"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp;utm_medium=RSS"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/96389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in ms"
}
GHSA-3H4M-M55V-GX4M
Vulnerability from github – Published: 2023-07-12 12:31 – Updated: 2024-11-18 16:26Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-36543"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-12T17:30:47Z",
"nvd_published_at": "2023-07-12T10:15:10Z",
"severity": "HIGH"
},
"details": "Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang.\u00a0It is recommended to upgrade to a version that is not affected",
"id": "GHSA-3h4m-m55v-gx4m",
"modified": "2024-11-18T16:26:31Z",
"published": "2023-07-12T12:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36543"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/32060"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/116e607ddcb32480e57c342f48226545ac6fc315"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2023-106.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/tokfs980504ylgk3cv3hjlnrtbv4tng4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow Improper Input Validation vulnerability"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.