Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

726 vulnerabilities reference this CWE, most recent first.

GHSA-4WF5-VPHF-C2XC

Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2023-03-13 22:43
VLAI
Summary
Terser insecure use of regular expressions leads to ReDoS
Details

The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "terser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "terser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.14.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-20T01:21:59Z",
    "nvd_published_at": "2022-07-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.",
  "id": "GHSA-4wf5-vphf-c2xc",
  "modified": "2023-03-13T22:43:44Z",
  "published": "2022-07-16T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/terser/terser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-TERSER-2806366"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Terser insecure use of regular expressions leads to ReDoS"
}

GHSA-4X5V-GMQ8-25CH

Vulnerability from github – Published: 2022-06-03 00:01 – Updated: 2023-07-19 19:58
VLAI
Summary
Regular expression denial of service in semver-regex
Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "semver-regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "semver-regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-03T22:26:33Z",
    "nvd_published_at": "2022-06-02T14:15:00Z",
    "severity": "LOW"
  },
  "details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method",
  "id": "GHSA-4x5v-gmq8-25ch",
  "modified": "2023-07-19T19:58:13Z",
  "published": "2022-06-03T00:01:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43307"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sindresorhus/semver-regex/commit/d8ba39a528c1027c43ab23f12eec28ca4d40dd0c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sindresorhus/semver-regex"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/semver-regex-redos-xray-211349"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular expression denial of service in semver-regex"
}

GHSA-4XQQ-73WG-5MJP

Vulnerability from github – Published: 2023-05-15 06:30 – Updated: 2023-06-06 18:45
VLAI
Summary
git-url-parse Regular Expression Denial of Service
Details

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "git-url-parse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-15T20:51:51Z",
    "nvd_published_at": "2023-05-15T04:15:10Z",
    "severity": "HIGH"
  },
  "details": "giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package\u0027s author placed a ReDoS attack payload in a URL used by the package.",
  "id": "GHSA-4xqq-73wg-5mjp",
  "modified": "2023-06-06T18:45:42Z",
  "published": "2023-05-15T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/returntocorp/semgrep/pull/7611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/returntocorp/semgrep/pull/7943"
    },
    {
      "type": "WEB",
      "url": "https://github.com/returntocorp/semgrep/pull/7955"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/coala/git-url-parse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/git-url-parse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "git-url-parse Regular Expression Denial of Service"
}

GHSA-5239-WWWM-4PMQ

Vulnerability from github – Published: 2026-03-22 06:30 – Updated: 2026-03-30 14:40
VLAI
Summary
Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching
Details

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Pygments"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-4539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T20:33:39Z",
    "nvd_published_at": "2026-03-22T06:16:20Z",
    "severity": "LOW"
  },
  "details": "A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
  "id": "GHSA-5239-wwwm-4pmq",
  "modified": "2026-03-30T14:40:28Z",
  "published": "2026-03-22T06:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pygments/pygments/issues/3058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pygments/pygments/pull/3064"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pygments/pygments/commit/24b8aa76c6cd6d70f39c6dd605cce319c98e2ccc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pygments/pygments"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pygments/pygments/releases/tag/2.20.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.352327"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.352327"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.774685"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching"
}

GHSA-54RR-7FVW-6X8F

Vulnerability from github – Published: 2024-02-28 22:57 – Updated: 2024-02-29 02:30
VLAI
Summary
Rack Header Parsing leads to Possible Denial of Service Vulnerability
Details

Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146.

Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 2-0-header-redos.patch - Patch for 2.0 series
  • 2-1-header-redos.patch - Patch for 2.1 series
  • 2-2-header-redos.patch - Patch for 2.2 series
  • 3-0-header-redos.patch - Patch for 3.0 series

Credits

Thanks to svalkanov for reporting this and providing patches!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.9.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-28T22:57:03Z",
    "nvd_published_at": "2024-02-29T00:15:51Z",
    "severity": "LOW"
  },
  "details": "# Possible Denial of Service Vulnerability in Rack Header Parsing\n\nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack.  This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected:  All.\nNot affected:       None\nFixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\nImpact\n------\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. Accept and Forwarded\nheaders are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2\nor newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 2-0-header-redos.patch - Patch for 2.0 series\n* 2-1-header-redos.patch - Patch for 2.1 series\n* 2-2-header-redos.patch - Patch for 2.2 series\n* 3-0-header-redos.patch - Patch for 3.0 series\n\nCredits\n-------\n\nThanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and\nproviding patches!",
  "id": "GHSA-54rr-7fvw-6x8f",
  "modified": "2024-02-29T02:30:57Z",
  "published": "2024-02-28T22:57:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Rack Header Parsing leads to Possible Denial of Service Vulnerability"
}

GHSA-55XV-F85C-248Q

Vulnerability from github – Published: 2021-12-17 19:59 – Updated: 2022-01-04 19:52
VLAI
Summary
Regular Expression Denial of Service (ReDoS) in jsx-slack
Details

jsx-slack v4.5.1 and earlier versions are vulnerable to a regular expression denial-of-service (ReDoS) attack.

Impact

If attacker can put a lot of JSX elements into <blockquote> tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources.

/** @jsxImportSource jsx-slack */
import { Section } from 'jsx-slack'

console.log(
  <Section>
    <blockquote>
      {[...Array(40)].map((_, i) => (
        <p>{i + 1}</p>
      ))}
    </blockquote>
  </Section>
)

Patches

See also: https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6

jsx-slack v4.5.2 has updated regular expressions to prevent catastrophic backtracking.

jsx-slack v4.5.1 also had patched a workaround. It has no problems to contents with ASCII characters, but still vulnerable to contents with multibyte characters. (https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d)

References

  • https://nvd.nist.gov/vuln/detail/CVE-2021-43838
  • https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d

Credits

Thanks to @hieki for finding out this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsx-slack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-17T19:33:23Z",
    "nvd_published_at": "2021-12-17T19:15:00Z",
    "severity": "LOW"
  },
  "details": "jsx-slack v4.5.1 and earlier versions are vulnerable to a regular expression denial-of-service (ReDoS) attack. \n\n### Impact\n\nIf attacker can put a lot of JSX elements into `\u003cblockquote\u003e` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources.\n\n```javascript\n/** @jsxImportSource jsx-slack */\nimport { Section } from \u0027jsx-slack\u0027\n\nconsole.log(\n  \u003cSection\u003e\n    \u003cblockquote\u003e\n      {[...Array(40)].map((_, i) =\u003e (\n        \u003cp\u003e{i + 1}\u003c/p\u003e\n      ))}\n    \u003c/blockquote\u003e\n  \u003c/Section\u003e\n)\n```\n\n### Patches\n\n_See also: https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6_\n\njsx-slack v4.5.2 has updated regular expressions to prevent catastrophic backtracking.\n\njsx-slack v4.5.1 also had patched a workaround. It has no problems to contents with ASCII characters, but _still vulnerable to contents with multibyte characters_. (https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d)\n\n### References\n\n- https://nvd.nist.gov/vuln/detail/CVE-2021-43838\n- https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d\n\n### Credits\n\nThanks to @hieki for finding out this vulnerability.",
  "id": "GHSA-55xv-f85c-248q",
  "modified": "2022-01-04T19:52:06Z",
  "published": "2021-12-17T19:59:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43838"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yhatt/jsx-slack/commit/36e4a10405e4c7745333e245fcc5029c02c7065d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yhatt/jsx-slack"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service (ReDoS) in jsx-slack"
}

GHSA-5662-2RJ7-F2V6

Vulnerability from github – Published: 2025-08-04 15:22 – Updated: 2025-08-04 15:22
VLAI
Summary
copyparty allows Regex Denial of Service (ReDoS) in the upload listing
Details

Summary

The filter parameter for the "Recent uploads" page allows arbitrary Regexes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server.

PoC

https://127.0.0.1:3923/?ru&filter=(.+)+x

Impact

The server becomes fully inaccessible for a long time.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.18.8"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "copyparty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-04T15:22:23Z",
    "nvd_published_at": "2025-08-02T00:15:26Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `filter` parameter for the \"Recent uploads\" page allows arbitrary Regexes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server.\n\n### PoC\n`https://127.0.0.1:3923/?ru\u0026filter=(.+)+x`\n\n### Impact\nThe server becomes fully inaccessible for a long time.",
  "id": "GHSA-5662-2rj7-f2v6",
  "modified": "2025-08-04T15:22:23Z",
  "published": "2025-08-04T15:22:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/9001/copyparty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/9001/copyparty/releases/tag/v1.18.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "copyparty allows Regex Denial of Service (ReDoS) in the upload listing"
}

GHSA-593F-38F6-JP5M

Vulnerability from github – Published: 2025-02-12 19:23 – Updated: 2025-02-12 19:23
VLAI
Summary
Inefficient Regular Expression Complexity in koa
Details

Summary

Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.

PoC

Coming soon.

Impact

This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-alpha.0"
            },
            {
              "fixed": "3.0.0-alpha.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-12T19:23:09Z",
    "nvd_published_at": "2025-02-12T18:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nKoa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack.\n\n### PoC\n\nComing soon.\n\n### Impact\nThis is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.",
  "id": "GHSA-593f-38f6-jp5m",
  "modified": "2025-02-12T19:23:09Z",
  "published": "2025-02-12T19:23:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/koajs/koa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/releases/tag/2.15.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in koa"
}

GHSA-5943-48F3-6WX5

Vulnerability from github – Published: 2024-04-26 06:30 – Updated: 2026-02-23 12:31
VLAI
Details

Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T06:15:06Z",
    "severity": "HIGH"
  },
  "details": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.",
  "id": "GHSA-5943-48f3-6wx5",
  "modified": "2026-02-23T12:31:28Z",
  "published": "2024-04-26T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4056"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2024-4056"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2024-4056"
    },
    {
      "type": "WEB",
      "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59P9-H35M-WG4G

Vulnerability from github – Published: 2025-09-12 12:30 – Updated: 2025-09-15 13:57
VLAI
Summary
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T13:57:49Z",
    "nvd_published_at": "2025-09-12T11:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer\u0027s `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.",
  "id": "GHSA-59p9-h35m-wg4g",
  "modified": "2025-09-15T13:57:49Z",
  "published": "2025-09-12T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.