CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-CQFH-C4C5-C2HG
Vulnerability from github – Published: 2024-03-28 00:31 – Updated: 2025-09-03 15:16RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.
PoC
async function exploit() {
const domainsuffix = require(\"domain-suffix\");
// Crafting a string that will cause excessive backtracking
const maliciousInput = \"a.\".repeat(10000) + \"b\"; // This will create a long sequence of \"a.\" followed by \"b\"
const result = await domainsuffix.domainSuffix.parse(maliciousInput);
}
await exploit();
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "domain-suffix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-25354"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-29T18:02:23Z",
"nvd_published_at": "2024-03-27T22:15:10Z",
"severity": "HIGH"
},
"details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n const domainsuffix = require(\\\"domain-suffix\\\");\n // Crafting a string that will cause excessive backtracking\n const maliciousInput = \\\"a.\\\".repeat(10000) + \\\"b\\\"; // This will create a long sequence of \\\"a.\\\" followed by \\\"b\\\"\n const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\nawait exploit();\n```",
"id": "GHSA-cqfh-c4c5-c2hg",
"modified": "2025-09-03T15:16:09Z",
"published": "2024-03-28T00:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25354"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/c3b11b4058b8e2bc54717408d451fb79"
},
{
"type": "PACKAGE",
"url": "https://github.com/ikrong/domain-suffix"
},
{
"type": "WEB",
"url": "https://github.com/ikrong/domain-suffix/blob/master/src/domainSuffix.ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "domain-suffix RegEx Denial of Service"
}
GHSA-CR84-XVW4-QX3C
Vulnerability from github – Published: 2022-10-25 22:27 – Updated: 2022-10-31 16:02Impact
This impacts users that use shescape to escape arguments:
- for the Unix shell Bash, or any not-officially-supported Unix shell;
- using the
escapeorescapeAllfunctions with theinterpolationoption set totrue.
An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:
import * as shescape from "shescape";
/* 1. Prerequisites */
const options = {
interpolation: true,
// and
shell: "/bin/bash",
// or
shell: "some-not-officially-supported-shell",
// or
shell: undefined, // Only if the system's default shell is bash or an unsupported shell.
};
/* 2. Attack */
let userInput = '{,'.repeat(150_000); // polynomial backtracking
/* 3. Usage */
shescape.escape(userInput, options);
// or
shescape.escapeAll([userInput], options);
Patches
This bug has been patched in v1.6.1 which you can upgrade to now. No further changes required.
Workarounds
Alternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.
References
For more information
- Comment on commit 552e8ea
- Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "shescape"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.10"
},
{
"fixed": "1.6.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25918"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-25T22:27:32Z",
"nvd_published_at": "2022-10-27T10:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThis impacts users that use shescape to escape arguments:\n\n- for the Unix shell Bash, or any not-officially-supported Unix shell;\n- using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`.\n\nAn attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example:\n\n```javascript\nimport * as shescape from \"shescape\";\n\n/* 1. Prerequisites */\nconst options = {\n interpolation: true,\n // and\n shell: \"/bin/bash\",\n // or\n shell: \"some-not-officially-supported-shell\",\n // or\n shell: undefined, // Only if the system\u0027s default shell is bash or an unsupported shell.\n};\n\n/* 2. Attack */\nlet userInput = \u0027{,\u0027.repeat(150_000); // polynomial backtracking\n\n/* 3. Usage */\nshescape.escape(userInput, options);\n// or\nshescape.escapeAll([userInput], options);\n```\n\n### Patches\n\nThis bug has been patched in [v1.6.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1) which you can upgrade to now. No further changes required.\n\n### Workarounds\n\nAlternatively, a maximum length can be enforced on input strings to shescape to reduce the impact of the vulnerability. It is not recommended to try and detect vulnerable input strings, as the logic for this may end up being vulnerable to ReDoS itself.\n\n### References\n\n- Shescape commit [552e8ea](https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9)\n- Shescape Release [v1.6.1](https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1)\n\n### For more information\n\n- Comment on commit [552e8ea](https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9)\n- Open an issue at [https://github.com/ericcornelissen/shescape/issues](https://github.com/ericcornelissen/shescape/issues?q=is%3Aissue+is%3Aopen) (New issue \u003e Question \u003e Get started)\n",
"id": "GHSA-cr84-xvw4-qx3c",
"modified": "2022-10-31T16:02:55Z",
"published": "2022-10-25T22:27:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-cr84-xvw4-qx3c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25918"
},
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/commit/552e8eab56861720b1d4e5474fb65741643358f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/ericcornelissen/shescape"
},
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/blob/main/src/unix.js%23L52"
},
{
"type": "WEB",
"url": "https://github.com/ericcornelissen/shescape/releases/tag/v1.6.1"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-SHESCAPE-3061108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in shescape "
}
GHSA-CRJR-9RC5-GHW8
Vulnerability from github – Published: 2022-04-11 21:18 – Updated: 2023-07-06 16:02Summary
Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.
Mitigation
Upgrade to Nokogiri >= 1.13.4.
Severity
The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
CWE-1333 Inefficient Regular Expression Complexity
Credit
This vulnerability was reported by HackerOne user ooooooo_q (ななおく).
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "nokogiri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24836"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-11T21:18:06Z",
"nvd_published_at": "2022-04-11T22:15:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nNokogiri `\u003c v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.\n\n## Mitigation\n\nUpgrade to Nokogiri `\u003e= 1.13.4`.\n\n\n## Severity\n\nThe Nokogiri maintainers have evaluated this as [**High Severity** 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n[CWE-1333](https://cwe.mitre.org/data/definitions/1333.html) Inefficient Regular Expression Complexity\n\n\n## Credit\n\nThis vulnerability was reported by HackerOne user ooooooo_q (\u306a\u306a\u304a\u304f).\n",
"id": "GHSA-crjr-9rc5-ghw8",
"modified": "2023-07-06T16:02:37Z",
"published": "2022-04-11T21:18:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24836"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2022-24836.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sparklemotion/nokogiri"
},
{
"type": "WEB",
"url": "https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4"
},
{
"type": "WEB",
"url": "https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email\u0026utm_source=footer"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-29"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213532"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Dec/23"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Nokogiri Inefficient Regular Expression Complexity"
}
GHSA-CW56-J3FM-7W57
Vulnerability from github – Published: 2022-05-18 00:00 – Updated: 2023-07-11 16:35In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shenyu:shenyu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.shenyu:shenyu-bootstrap"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-26650"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T19:36:33Z",
"nvd_published_at": "2022-05-17T08:15:00Z",
"severity": "HIGH"
},
"details": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.",
"id": "GHSA-cw56-j3fm-7w57",
"modified": "2023-07-11T16:35:32Z",
"published": "2022-05-18T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26650"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/incubator-shenyu"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular expression denial of service in Apache ShenYu"
}
GHSA-F45G-68Q3-5W8X
Vulnerability from github – Published: 2026-03-10 21:04 – Updated: 2026-03-10 22:55Impact
t.String({ format: 'url' }) is vulnerable to redos
Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly
'http://a'.repeat(n)
Here's a table demonstrating how long it takes to process repeated partial url format
| n repeat | elapsed_ms |
| --- | --- |
| 1024 | 33.993 |
| 2048 | 134.357 |
| 4096 | 537.608 |
| 8192 | 2155.842 |
| 16384 | 8618.457 |
| 32768 | 34604.139 |
Patches
Patched by 1.4.26, please kindly update elysia to >= 1.4.26
Here's how long it takes after the patch
| n repeat | elapsed_ms |
| --- | --- |
| 1024 | 0.194 |
| 2048 | 0.274 |
| 4096 | 0.455 |
| 8192 | 0.831 |
| 16384 | 1.632 |
| 32768 | 3.052 |
Workarounds
- It's recommended to always limit URL format to a reasonable length
t.String({
format: 'url',
maxLength: 288
})
- If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase
import { FormatRegistry } from '@sinclair/typebox'
FormatRegistry.Delete('url')
FormatRegistry.Set('url', (value) =>
/^(?:https?|ftp):\/\/(?:[^\s:@]+(?::[^\s@]*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)(?:\.(?:[a-z0-9\u{00a1}-\u{ffff}]+-)*[a-z0-9\u{00a1}-\u{ffff}]+)*(?:\.(?:[a-z\u{00a1}-\u{ffff}]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?$/iu.test(
value
)
)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "elysia"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30837"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T21:04:25Z",
"nvd_published_at": "2026-03-10T21:16:47Z",
"severity": "HIGH"
},
"details": "### Impact\n`t.String({ format: \u0027url\u0027 })` is vulnerable to redos\n\nRepeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly\n```js\n\u0027http://a\u0027.repeat(n)\n```\n\nHere\u0027s a table demonstrating how long it takes to process repeated partial url format\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 33.993 |\n| 2048 | 134.357 |\n| 4096 | 537.608 |\n| 8192 | 2155.842 |\n| 16384 | 8618.457 |\n| 32768 | 34604.139 |\n\n### Patches\nPatched by 1.4.26, please kindly update `elysia` to \u003e= 1.4.26 \n\nHere\u0027s how long it takes after the patch\n| `n` repeat | elapsed_ms |\n| --- | --- |\n| 1024 | 0.194 |\n| 2048 | 0.274 |\n| 4096 | 0.455 |\n| 8192 | 0.831 |\n| 16384 | 1.632 |\n| 32768 | 3.052 |\n\n### Workarounds\n1. It\u0027s recommended to always limit URL format to a reasonable length\n```ts\nt.String({\n\tformat: \u0027url\u0027,\n\tmaxLength: 288\n})\n```\n\n2. If a long URL format is necessary, to patch this without updating to 1.4.26, add the following code to any part of your codebase\n```js\nimport { FormatRegistry } from \u0027@sinclair/typebox\u0027\n\nFormatRegistry.Delete(\u0027url\u0027)\nFormatRegistry.Set(\u0027url\u0027, (value) =\u003e\n\t/^(?:https?|ftp):\\/\\/(?:[^\\s:@]+(?::[^\\s@]*)?@)?(?:(?!(?:10|127)(?:\\.\\d{1,3}){3})(?!(?:169\\.254|192\\.168)(?:\\.\\d{1,3}){2})(?!172\\.(?:1[6-9]|2\\d|3[0-1])(?:\\.\\d{1,3}){2})(?:[1-9]\\d?|1\\d\\d|2[01]\\d|22[0-3])(?:\\.(?:1?\\d{1,2}|2[0-4]\\d|25[0-5])){2}(?:\\.(?:[1-9]\\d?|1\\d\\d|2[0-4]\\d|25[0-4]))|(?:(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)(?:\\.(?:[a-z0-9\\u{00a1}-\\u{ffff}]+-)*[a-z0-9\\u{00a1}-\\u{ffff}]+)*(?:\\.(?:[a-z\\u{00a1}-\\u{ffff}]{2,})))(?::\\d{2,5})?(?:\\/[^\\s]*)?$/iu.test(\n\t\tvalue\n\t)\n)\n```",
"id": "GHSA-f45g-68q3-5w8x",
"modified": "2026-03-10T22:55:50Z",
"published": "2026-03-10T21:04:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/elysiajs/elysia/security/advisories/GHSA-f45g-68q3-5w8x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30837"
},
{
"type": "WEB",
"url": "https://github.com/EdamAme-x/elysia-poc-redos"
},
{
"type": "PACKAGE",
"url": "https://github.com/elysiajs/elysia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Elysia has a string URL format ReDoS"
}
GHSA-F522-FFG8-J8R6
Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2025-10-17 17:50Version of is-my-json-valid before 2.12.4 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.
Recommendation
Update to version 2.12.4 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "is-my-json-valid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.12.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-2537"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:33:36Z",
"nvd_published_at": "2016-02-23T05:59:01Z",
"severity": "HIGH"
},
"details": "Version of `is-my-json-valid` before 2.12.4 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.\n\n\n## Recommendation\n\nUpdate to version 2.12.4 or later.",
"id": "GHSA-f522-ffg8-j8r6",
"modified": "2025-10-17T17:50:27Z",
"published": "2017-10-24T18:33:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2537"
},
{
"type": "WEB",
"url": "https://github.com/github/advisory-database/pull/4850"
},
{
"type": "WEB",
"url": "https://github.com/mafintosh/is-my-json-valid/pull/159"
},
{
"type": "WEB",
"url": "https://github.com/mafintosh/is-my-json-valid/commit/b3051b277f7caa08cd2edc6f74f50aeda65d2976"
},
{
"type": "WEB",
"url": "https://github.com/mafintosh/is-my-json-valid/commit/eca4beb21e61877d76fdf6bea771f72f39544d9b"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/317548"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-f522-ffg8-j8r6"
},
{
"type": "PACKAGE",
"url": "https://github.com/mafintosh/is-my-json-valid"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/572"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/76"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in is-my-json-valid"
}
GHSA-F5XG-CFPJ-2MW6
Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 23:08A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "taro-css-to-react-native"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5896"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-09T23:08:45Z",
"nvd_published_at": "2025-06-09T21:15:47Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.",
"id": "GHSA-f5xg-cfpj-2mw6",
"modified": "2025-06-09T23:08:45Z",
"published": "2025-06-09T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5896"
},
{
"type": "WEB",
"url": "https://github.com/NervJS/taro/pull/17619"
},
{
"type": "WEB",
"url": "https://github.com/NervJS/taro/commit/c2e321a8b6fc873427c466c69f41ed0b5e8814bf"
},
{
"type": "PACKAGE",
"url": "https://github.com/NervJS/taro"
},
{
"type": "WEB",
"url": "https://github.com/NervJS/taro/releases/tag/v4.1.2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.311668"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.311668"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.585796"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "taro-css-to-react-native Regular Expression Denial of Service vulnerability"
}
GHSA-F8Q6-P94X-37V3
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2024-02-14 18:15A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "minimatch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3517"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-10-20T18:21:03Z",
"nvd_published_at": "2022-10-17T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.",
"id": "GHSA-f8q6-p94x-37v3",
"modified": "2024-02-14T18:15:16Z",
"published": "2022-10-18T12:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517"
},
{
"type": "WEB",
"url": "https://github.com/grafana/grafana-image-renderer/issues/329"
},
{
"type": "WEB",
"url": "https://github.com/nodejs/node/issues/42510"
},
{
"type": "WEB",
"url": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6"
},
{
"type": "PACKAGE",
"url": "https://github.com/isaacs/minimatch"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "minimatch ReDoS vulnerability"
}
GHSA-F8WW-P9XJ-CM59
Vulnerability from github – Published: 2023-01-12 06:30 – Updated: 2023-01-18 21:30An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.
{
"affected": [],
"aliases": [
"CVE-2022-4131"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents.",
"id": "GHSA-f8ww-p9xj-cm59",
"modified": "2023-01-18T21:30:21Z",
"published": "2023-01-12T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4131"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1772063"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-4131.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/383598"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F9V8-6C5P-2WHH
Vulnerability from github – Published: 2023-06-07 18:30 – Updated: 2024-04-04 04:39An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
{
"affected": [],
"aliases": [
"CVE-2023-2199"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T17:15:10Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.",
"id": "GHSA-f9v8-6c5p-2whh",
"modified": "2024-04-04T04:39:39Z",
"published": "2023-06-07T18:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2199"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1943819"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-2199.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/408272"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.