CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-3P3X-VG38-6G9Q
Vulnerability from github – Published: 2023-07-19 12:31 – Updated: 2024-06-10 18:30Issue summary: Checking excessively long DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.
The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length.
However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large.
An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.
The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().
Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.
The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
{
"affected": [],
"aliases": [
"CVE-2023-3446"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-606"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-19T12:15:10Z",
"severity": "MODERATE"
},
"details": "Issue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. One of those\nchecks confirms that the modulus (\u0027p\u0027 parameter) is not too large. Trying to use\na very large modulus is slow and OpenSSL will not normally use a modulus which\nis over 10,000 bits in length.\n\nHowever the DH_check() function checks numerous aspects of the key or parameters\nthat have been supplied. Some of those checks use the supplied modulus value\neven if it has already been found to be too large.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulernable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \u0027-check\u0027 option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.",
"id": "GHSA-3p3x-vg38-6g9q",
"modified": "2024-06-10T18:30:45Z",
"published": "2023-07-19T12:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3446"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1fa20cf2f506113c761777127a38bce5068740eb"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8780a896543a654e757db1b9396383f9d8095528"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9a0a4d3c1e7138915563c0df4fe6a3f9377b839c"
},
{
"type": "WEB",
"url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc9867c1e03c22ebf56943be205202e576aabf23"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00019.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202402-08"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230803-0011"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20230719.txt"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/19/4"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/19/5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/19/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/07/31/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/05/16/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3P6V-HRG8-8QJ7
Vulnerability from github – Published: 2025-03-26 14:08 – Updated: 2025-03-26 14:08Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service.
Additional Details are available at Bugzilla
Credit: DayShift
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@mozilla/readability"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-2792"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-26T14:08:48Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service.\n\nAdditional Details are [available at Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1948833)\n\nCredit: DayShift",
"id": "GHSA-3p6v-hrg8-8qj7",
"modified": "2025-03-26T14:08:48Z",
"published": "2025-03-26T14:08:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/readability/security/advisories/GHSA-3p6v-hrg8-8qj7"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/readability/commit/1c4d63be3e7344c3dfdf76ebb05fd0d32de93eb3"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1948833"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/readability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "@mozilla/readability Denial of Service through Regex"
}
GHSA-3PHV-83CJ-P8P7
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-28 14:56Nope is a JavaScript validator. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability is fixed in 0.12.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nope-validator"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26309"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-28T14:56:39Z",
"nvd_published_at": "2024-10-26T21:15:14Z",
"severity": "MODERATE"
},
"details": "Nope is a JavaScript validator. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability is fixed in 0.12.1.",
"id": "GHSA-3phv-83cj-p8p7",
"modified": "2024-10-28T14:56:39Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26309"
},
{
"type": "WEB",
"url": "https://github.com/ftonato/nope-validator/issues/352"
},
{
"type": "WEB",
"url": "https://github.com/ftonato/nope-validator/commit/4564b7444dcd92769e5c5b80420469c9f18b7a05#diff-9c399c46fa266bcf2be2704fbb369181726959e148e95ab548a32ef9ca9e7d47R1"
},
{
"type": "WEB",
"url": "https://github.com/ftonato/nope-validator/commit/c8af9f93abe8f4786f8f69d2b0518f8ca3652f44"
},
{
"type": "PACKAGE",
"url": "https://github.com/ftonato/nope-validator"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-303-redos-nope-validator"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
"type": "CVSS_V4"
}
],
"summary": "nope-validator Regular Expression Denial of Service vulnerability"
}
GHSA-3PPC-4F35-3M26
Vulnerability from github – Published: 2026-02-18 22:38 – Updated: 2026-02-24 20:59Summary
minimatch is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.
The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
PoC
When minimatch compiles a glob pattern, each * becomes [^/]*? in the generated regex. For a pattern like ***************X***:
/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/
When the test string doesn't contain X, the regex engine must try every possible way to distribute the characters across all the [^/]*? groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.
Impact
Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This includes:
- File search/filter UIs that accept glob patterns
- .gitignore-style filtering with user-defined rules
- Build tools that accept glob configuration
- Any API that exposes glob matching to untrusted input
Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26996"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-18T22:38:11Z",
"nvd_published_at": "2026-02-20T03:16:01Z",
"severity": "HIGH"
},
"details": "### Summary\n`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn\u0027t appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8\u0027s regex engine backtracks exponentially across all possible splits.\n\nThe time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.\n\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\n### PoC\nWhen minimatch compiles a glob pattern, each `*` becomes `[^/]*?` in the generated regex. For a pattern like `***************X***`:\n\n```\n/^(?!\\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/\n```\n\nWhen the test string doesn\u0027t contain `X`, the regex engine must try every possible way to distribute the characters across all the `[^/]*?` groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) \u2014 exponential.\n### Impact\nAny application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable to DoS. This includes:\n- File search/filter UIs that accept glob patterns\n- `.gitignore`-style filtering with user-defined rules\n- Build tools that accept glob configuration\n- Any API that exposes glob matching to untrusted input\n\n----\n\nThanks to @ljharb for back-porting the fix to legacy versions of minimatch.",
"id": "GHSA-3ppc-4f35-3m26",
"modified": "2026-02-24T20:59:57Z",
"published": "2026-02-18T22:38:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26996"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/isaacs/minimatch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"
}
GHSA-3Q6G-VF58-7M4G
Vulnerability from github – Published: 2021-09-08 15:41 – Updated: 2024-09-20 17:57Flask RESTX contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flask-restx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32838"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-07T14:24:52Z",
"nvd_published_at": "2021-09-20T18:15:00Z",
"severity": "HIGH"
},
"details": "Flask RESTX contains a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service) in `email_regex`.\n",
"id": "GHSA-3q6g-vf58-7m4g",
"modified": "2024-09-20T17:57:56Z",
"published": "2021-09-08T15:41:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/python-restx/flask-restx/security/advisories/GHSA-3q6g-vf58-7m4g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32838"
},
{
"type": "WEB",
"url": "https://github.com/python-restx/flask-restx/issues/372"
},
{
"type": "WEB",
"url": "https://github.com/python-restx/flask-restx/commit/bab31e085f355dd73858fd3715f7ed71849656da"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-3q6g-vf58-7m4g"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask-restx/PYSEC-2021-325.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-restx/flask-restx"
},
{
"type": "WEB",
"url": "https://github.com/python-restx/flask-restx/blob/fd99fe11a88531f5f3441a278f7020589f9d2cc0/flask_restx/inputs.py#L51"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5UCTFVDU3677B5OBGK4EF5NMUPJLL6SQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUD6SWZLX52AAZUHDETJ2CDMQGEPGFL3"
},
{
"type": "WEB",
"url": "https://pypi.org/project/flask-restx"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Regular Expression Denial of Service in flask-restx"
}
GHSA-3RFM-JHWJ-7488
Vulnerability from github – Published: 2022-10-14 19:00 – Updated: 2022-11-15 21:26A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "loader-utils"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "loader-utils"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "loader-utils"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-37603"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-15T21:26:09Z",
"nvd_published_at": "2022-10-14T16:15:00Z",
"severity": "HIGH"
},
"details": "A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. A badly or maliciously formed string could be used to send crafted requests that cause a system to crash or take a disproportional amount of time to process. This issue has been patched in versions 1.4.2, 2.0.4 and 3.2.1.",
"id": "GHSA-3rfm-jhwj-7488",
"modified": "2022-11-15T21:26:42Z",
"published": "2022-10-14T19:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/issues/213"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/issues/216"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/commit/17cbf8fa8989c1cb45bdd2997aa524729475f1fa"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/commit/ac09944dfacd7c4497ef692894b09e63e09a5eeb"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/commit/d2d752d59629daee38f34b24307221349c490eb1"
},
{
"type": "PACKAGE",
"url": "https://github.com/webpack/loader-utils"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L107"
},
{
"type": "WEB",
"url": "https://github.com/webpack/loader-utils/blob/d9f4e23cf411d8556f8bac2d3bf05a6e0103b568/lib/interpolateName.js#L38"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable"
}
GHSA-3RW8-4XRQ-3F7P
Vulnerability from github – Published: 2025-03-17 21:30 – Updated: 2025-08-07 14:02Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hx7h-9vf7-5xhg. This link is maintained to preserve external references.
Original Description
Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "uptime-kuma"
},
"ranges": [
{
"events": [
{
"introduced": "1.23.0"
},
{
"last_affected": "2.0.0-dev.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-17T21:56:00Z",
"nvd_published_at": "2025-03-17T19:15:26Z",
"severity": "MODERATE"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hx7h-9vf7-5xhg. This link is maintained to preserve external references.\n\n### Original Description\nUptime Kuma \u003e== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack.",
"id": "GHSA-3rw8-4xrq-3f7p",
"modified": "2025-08-07T14:02:08Z",
"published": "2025-03-17T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26042"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/issues/5574"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/pull/5573"
},
{
"type": "WEB",
"url": "https://github.com/louislam/uptime-kuma/commit/7a9191761dbef6551c2a0aa6eed5f693ba48d688"
},
{
"type": "PACKAGE",
"url": "https://github.com/louislam/uptime-kuma"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Uptime Kuma ReDoS vulnerability",
"withdrawn": "2025-08-07T14:02:08Z"
}
GHSA-3XGQ-45JJ-V275
Vulnerability from github – Published: 2024-11-08 06:30 – Updated: 2025-05-19 19:56Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cross-spawn"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "cross-spawn"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21538"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-15T22:25:53Z",
"nvd_published_at": "2024-11-08T05:15:06Z",
"severity": "HIGH"
},
"details": "Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.",
"id": "GHSA-3xgq-45jj-v275",
"modified": "2025-05-19T19:56:26Z",
"published": "2024-11-08T06:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538"
},
{
"type": "WEB",
"url": "https://github.com/moxystudio/node-cross-spawn/issues/165"
},
{
"type": "WEB",
"url": "https://github.com/moxystudio/node-cross-spawn/pull/160"
},
{
"type": "WEB",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"
},
{
"type": "WEB",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"
},
{
"type": "WEB",
"url": "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd"
},
{
"type": "PACKAGE",
"url": "https://github.com/moxystudio/node-cross-spawn"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Regular Expression Denial of Service (ReDoS) in cross-spawn"
}
GHSA-3XQ5-WJFH-PPJC
Vulnerability from github – Published: 2023-01-09 14:10 – Updated: 2024-02-12 06:30Impact
Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.
This is the same bug as Moment's https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Workarounds
Limit the length of the input.
References
There is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973
Details
DateTime.fromRFC2822("(".repeat(500000)) takes a couple minutes to complete.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "luxon"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.28.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "luxon"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "luxon"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22467"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-09T14:10:49Z",
"nvd_published_at": "2023-01-04T22:15:00Z",
"severity": "HIGH"
},
"details": "# Impact\nLuxon\u0027s `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks.\n\nThis is the same bug as Moment\u0027s https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n\n# Workarounds\nLimit the length of the input.\n\n# References\nThere is an excellent writeup of the same issue in Moment: https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n\n# Details\n`DateTime.fromRFC2822(\"(\".repeat(500000))` takes a couple minutes to complete.",
"id": "GHSA-3xq5-wjfh-ppjc",
"modified": "2024-02-12T06:30:33Z",
"published": "2023-01-09T14:10:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/moment/luxon/security/advisories/GHSA-3xq5-wjfh-ppjc"
},
{
"type": "WEB",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22467"
},
{
"type": "WEB",
"url": "https://github.com/moment/moment/pull/6015#issuecomment-1152961973"
},
{
"type": "WEB",
"url": "https://github.com/moment/luxon/commit/5ab3bf64a10da929a437629cdb2f059bb83212bf"
},
{
"type": "PACKAGE",
"url": "https://github.com/moment/luxon"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/44I3WAJKYXDLOVYRGMHAUXMIV4SPFXDZ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LIVOASKBQH7FEUI5RWM3SOHR6VK7ZZR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Luxon Inefficient Regular Expression Complexity vulnerability"
}
GHSA-44C6-4V22-4MHX
Vulnerability from github – Published: 2021-09-20 20:42 – Updated: 2023-07-11 13:37npm semver-regex is vulnerable to Inefficient Regular Expression Complexity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "semver-regex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "semver-regex"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.0.0"
]
}
],
"aliases": [
"CVE-2021-3795"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-16T17:31:51Z",
"nvd_published_at": "2021-09-15T17:15:00Z",
"severity": "HIGH"
},
"details": "npm `semver-regex` is vulnerable to Inefficient Regular Expression Complexity",
"id": "GHSA-44c6-4v22-4mhx",
"modified": "2023-07-11T13:37:50Z",
"published": "2021-09-20T20:42:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3795"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/semver-regex/commit/11c66245f4e1976dccc52977ed183696a21a3fd7"
},
{
"type": "PACKAGE",
"url": "https://github.com/sindresorhus/semver-regex"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/006624e3-35ac-448f-aab9-7b5183f30e28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "semver-regex Regular Expression Denial of Service (ReDOS)"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.