CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-FW2V-V7VP-PCCQ
Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-10-26 21:30Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.
{
"affected": [],
"aliases": [
"CVE-2020-26310"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-26T21:15:14Z",
"severity": "HIGH"
},
"details": "Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.",
"id": "GHSA-fw2v-v7vp-pccq",
"modified": "2024-10-26T21:30:46Z",
"published": "2024-10-26T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26310"
},
{
"type": "WEB",
"url": "https://github.com/blowsie/Pure-JavaScript-HTML5-Parser/issues/14"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-305-redos-Pure-JavaScript-HTML5-Parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-FW3V-X4F2-V673
Vulnerability from github – Published: 2022-07-26 00:00 – Updated: 2024-09-25 20:07In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mistune"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0a1"
},
{
"fixed": "2.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-34749"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-29T22:24:56Z",
"nvd_published_at": "2022-07-25T23:15:00Z",
"severity": "HIGH"
},
"details": "In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.",
"id": "GHSA-fw3v-x4f2-v673",
"modified": "2024-09-25T20:07:25Z",
"published": "2022-07-26T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34749"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/issues/314#issuecomment-1223972386"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/commit/ca1e7b506850f4e488823fc7338b49a8f9852718"
},
{
"type": "PACKAGE",
"url": "https://github.com/lepture/mistune"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/releases"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2022-237.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQHXITQ2DSBYOILKHXBSBB7PFBPZHF63"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mistune vulnerable to catastrophic backtracking"
}
GHSA-FXJ4-P9XP-37V5
Vulnerability from github – Published: 2026-06-17 18:47 – Updated: 2026-06-17 18:47Summary
The fix for CVE-2026-45367 added RegexTimeout protection to the matches() function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In org.hl7.fhir.dstu2, replaceMatches() was updated while matches() at line 2462 still calls the raw String.matches(sw) without any timeout, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU.
Details
Incomplete patch
Within the same file
(org.hl7.fhir.dstu2/utils/FHIRPathEngine.java), the two functions were
patched inconsistently:
Line 2226 — replaceMatches() — PATCHED:
result.add(new StringType(
RegexTimeout.replaceAll(
convertToString(focus.get(0)), regex, repl, regexTimeoutMillis)));
Line 2462 — matches() — NOT PATCHED:
result.add(new BooleanType(
convertToString(focus.get(0)).matches(sw)));
// ↑ raw String.matches() — no RegexTimeout, no complexity check
DSTU3 line 2447 — matches() — PATCHED (for comparison):
result.add(new BooleanType(
RegexTimeout.matches(st, sw, regexTimeoutMillis)));
Module-by-module status
| Module | matches() |
replaceMatches() |
|---|---|---|
| DSTU2 | ❌ raw str.matches(sw) |
✅ RegexTimeout.replaceAll() |
| DSTU2016MAY | ✅ RegexTimeout.matches() |
✅ |
| DSTU3 | ✅ RegexTimeout.matches() |
✅ |
| R4 | ✅ RegexTimeout.matches() |
✅ |
| R4B | ✅ RegexTimeout.matches() |
✅ |
| R5 | ✅ RegexTimeout.matches() |
✅ |
PoC
Requirements: Java 17+, Maven 3.8+
pom.xml dependencies:
<dependency>
<groupId>ca.uhn.hapi.fhir</groupId>
<artifactId>org.hl7.fhir.utilities</artifactId>
<version>6.9.7</version>
</dependency>
Test code (reproduces the exact behaviour of DSTU2 line 2462):
import org.hl7.fhir.utilities.regex.RegexTimeout;
import java.util.concurrent.*;
String regex = "((a|b){0,5}){20}";
String input = "a".repeat(25) + "c"; // no match → full backtracking
// ① Patched approach — RegexTimeout terminates at 500 ms
long t1 = System.currentTimeMillis();
try {
RegexTimeout.matches(input, regex, 500);
} catch (TimeoutException e) {
System.out.println("RegexTimeout blocked in " +
(System.currentTimeMillis() - t1) + " ms");
}
// ② DSTU2 line 2462 — raw String.matches(), no timeout
long t2 = System.currentTimeMillis();
input.matches(regex); // equivalent to what FHIRPathEngine does
System.out.println("str.matches() ran for " +
(System.currentTimeMillis() - t2) + " ms with no timeout");
Verified output (JDK 25.0.3, Linux):
RegexTimeout blocked in 508 ms ← patched modules: attack stopped
str.matches() ran for 1410 ms ← DSTU2: no timeout, CPU exhausted
The patched approach cuts off the evaluation at 508 ms. The unpatched DSTU2 code runs for 1410 ms on this input with no mechanism to stop it. Longer inputs or more complex patterns produce proportionally worse results.
Impact
Vulnerability type: Regular Expression Denial of Service (ReDoS) causing CPU exhaustion and service disruption.
Who is impacted: Any application using the ca.uhn.hapi.fhir:org.hl7.fhir.dstu2 module that evaluates user-supplied FHIRPath expressions — including the FHIR Validator HTTP endpoint, FHIR servers applying FHIRPath invariants from user-provided resources or profiles, and any system embedding FHIRPathEngine from the DSTU2 module. No authentication is required; an attacker needs only to submit a FHIR resource or FHIRPath expression whose matches() argument contains a catastrophically backtracking regular expression.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.9"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.9"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.convertors"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.9"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.9.9"
},
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55470"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T18:47:23Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nThe fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still calls the raw `String.matches(sw)` without any timeout, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU.\n\n\n## Details\n### Incomplete patch\n\nWithin the same file\n(`org.hl7.fhir.dstu2/utils/FHIRPathEngine.java`), the two functions were\npatched inconsistently:\n\n**Line 2226 \u2014 replaceMatches() \u2014 PATCHED:**\n```java\nresult.add(new StringType(\n RegexTimeout.replaceAll(\n convertToString(focus.get(0)), regex, repl, regexTimeoutMillis)));\n```\n\n**Line 2462 \u2014 matches() \u2014 NOT PATCHED:**\n```java\nresult.add(new BooleanType(\n convertToString(focus.get(0)).matches(sw)));\n// \u2191 raw String.matches() \u2014 no RegexTimeout, no complexity check\n```\n\n**DSTU3 line 2447 \u2014 matches() \u2014 PATCHED (for comparison):**\n```java\nresult.add(new BooleanType(\n RegexTimeout.matches(st, sw, regexTimeoutMillis)));\n```\n\n### Module-by-module status\n\n| Module | `matches()` | `replaceMatches()` |\n|---|---|---|\n| **DSTU2** | \u274c raw `str.matches(sw)` | \u2705 `RegexTimeout.replaceAll()` |\n| DSTU2016MAY | \u2705 `RegexTimeout.matches()` | \u2705 |\n| DSTU3 | \u2705 `RegexTimeout.matches()` | \u2705 |\n| R4 | \u2705 `RegexTimeout.matches()` | \u2705 |\n| R4B | \u2705 `RegexTimeout.matches()` | \u2705 |\n| R5 | \u2705 `RegexTimeout.matches()` | \u2705 |\n\n\n## PoC\n**Requirements:** Java 17+, Maven 3.8+\n\n**pom.xml dependencies:**\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003eca.uhn.hapi.fhir\u003c/groupId\u003e\n \u003cartifactId\u003eorg.hl7.fhir.utilities\u003c/artifactId\u003e\n \u003cversion\u003e6.9.7\u003c/version\u003e\n\u003c/dependency\u003e\n```\n\n**Test code (reproduces the exact behaviour of DSTU2 line 2462):**\n```java\nimport org.hl7.fhir.utilities.regex.RegexTimeout;\nimport java.util.concurrent.*;\n\nString regex = \"((a|b){0,5}){20}\";\nString input = \"a\".repeat(25) + \"c\"; // no match \u2192 full backtracking\n\n// \u2460 Patched approach \u2014 RegexTimeout terminates at 500 ms\nlong t1 = System.currentTimeMillis();\ntry {\n RegexTimeout.matches(input, regex, 500);\n} catch (TimeoutException e) {\n System.out.println(\"RegexTimeout blocked in \" +\n (System.currentTimeMillis() - t1) + \" ms\");\n}\n\n// \u2461 DSTU2 line 2462 \u2014 raw String.matches(), no timeout\nlong t2 = System.currentTimeMillis();\ninput.matches(regex); // equivalent to what FHIRPathEngine does\nSystem.out.println(\"str.matches() ran for \" +\n (System.currentTimeMillis() - t2) + \" ms with no timeout\");\n```\n\n**Verified output (JDK 25.0.3, Linux):**\n```\nRegexTimeout blocked in 508 ms \u2190 patched modules: attack stopped\nstr.matches() ran for 1410 ms \u2190 DSTU2: no timeout, CPU exhausted\n```\n\nThe patched approach cuts off the evaluation at 508 ms. The unpatched DSTU2\ncode runs for 1410 ms on this input with no mechanism to stop it. Longer\ninputs or more complex patterns produce proportionally worse results.\n\n\n## Impact\n**Vulnerability type:** Regular Expression Denial of Service (ReDoS) causing CPU exhaustion and service disruption.\n\n**Who is impacted:** Any application using the `ca.uhn.hapi.fhir:org.hl7.fhir.dstu2` module that evaluates user-supplied FHIRPath expressions \u2014 including the FHIR Validator HTTP endpoint, FHIR servers applying FHIRPath invariants from user-provided resources or profiles, and any system embedding `FHIRPathEngine` from the DSTU2 module. No authentication is required; an attacker needs only to submit a FHIR resource or FHIRPath expression whose `matches()` argument contains a catastrophically backtracking regular expression.",
"id": "GHSA-fxj4-p9xp-37v5",
"modified": "2026-06-17T18:47:23Z",
"published": "2026-06-17T18:47:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-fxj4-p9xp-37v5"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS"
}
GHSA-FXX2-62XV-VCPH
Vulnerability from github – Published: 2023-04-12 15:30 – Updated: 2024-04-04 03:25Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).
{
"affected": [],
"aliases": [
"CVE-2023-27704"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).",
"id": "GHSA-fxx2-62xv-vcph",
"modified": "2024-04-04T03:25:11Z",
"published": "2023-04-12T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27704"
},
{
"type": "WEB",
"url": "https://drive.google.com/drive/folders/1BmHAGSugrFo0whDEmg6nnbaOkvE21X-p?usp=sharing"
},
{
"type": "WEB",
"url": "https://github.com/happy0717/CVE-2023-27704"
},
{
"type": "WEB",
"url": "https://www.voidtools.com/en-us/downloads"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G3PV-PJ5F-3HFQ
Vulnerability from github – Published: 2023-01-18 00:30 – Updated: 2025-12-22 16:31mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mechanize"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32837"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-20T23:35:49Z",
"nvd_published_at": "2023-01-17T22:15:00Z",
"severity": "HIGH"
},
"details": "mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.",
"id": "GHSA-g3pv-pj5f-3hfq",
"modified": "2025-12-22T16:31:05Z",
"published": "2023-01-18T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32837"
},
{
"type": "WEB",
"url": "https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mechanize/PYSEC-2023-25.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-mechanize/mechanize"
},
{
"type": "WEB",
"url": "https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"
},
{
"type": "WEB",
"url": "https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/12/msg00028.html"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mechanize Regular Expression Denial of Service vulnerability"
}
GHSA-G4JQ-25CX-3CW5
Vulnerability from github – Published: 2026-07-02 21:32 – Updated: 2026-07-02 21:32LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.
{
"affected": [],
"aliases": [
"CVE-2026-58578"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-02T20:17:06Z",
"severity": "HIGH"
},
"details": "LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.",
"id": "GHSA-g4jq-25cx-3cw5",
"modified": "2026-07-02T21:32:13Z",
"published": "2026-07-02T21:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58578"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/issues/16494"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/pull/16548"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/commit/349bbe326eb8635d6d9c6a96d12702681ae3a84a"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/lobechat-canary-15-regular-expression-denial-of-service-in-github-skill-import"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G75F-G53V-794X
Vulnerability from github – Published: 2026-06-16 14:07 – Updated: 2026-06-16 14:07Summary
Bleach 6.3.0 exposes a documented email-linkification path through bleach.linkify(..., parse_email=True). The implementation scans attacker-controlled text with EMAIL_RE.finditer() over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email regex. A non-email payload around 30 KB causes multi-second CPU consumption per request/call, creating a direct availability risk for applications that enable email linkification on user-submitted text.
Affected Product
- Package:
bleach - Ecosystem: pip
- Affected versions: verified in
6.3.0; exact first affected version not established - Patched versions: none known at finalization time
- Tested version:
6.3.0 - Audit commit/tag:
v6.3.0/5546d5dbce60d08ccb99d981778d74044d646d4e - PyPI sdist SHA256:
6f3b91b1c0a02bb9a78b5a454c92506aa0fdf197e1d5e114d2e00c6f64306d22
Vulnerability Details
- CWE: CWE-1333: Inefficient Regular Expression Complexity; related availability impact maps to CWE-400
- Component:
bleach/linkifier.py,build_email_re(),LinkifyFilter.handle_email_addresses() - Root cause:
handle_email_addresses()callsself.email_re.finditer(text)on attacker-controlled text.EMAIL_REincludes a repeated dot-atom local-part pattern, so non-email strings such as repeateda.segments with no@force repeated long failing scans. - Security boundary violated: user-submitted text processed by a documented safe linkification helper should not allow an attacker to impose superlinear CPU cost through non-email text.
- Direct impact: per-request CPU exhaustion / denial-of-service risk in applications that enable
parse_email=Trueon attacker-controlled text. - Chain impact, if any: one proof run observed an unrelated
/healthrequest delayed during a concurrent attack request, but this was not reliable across reviewer retests. Treat cross-request service degradation as environment-dependent supporting evidence, not the primary impact. - Severity estimate: Medium / availability-only. The feature is opt-in and deployment body limits/timeouts affect practical severity.
Relevant code path:
- bleach/__init__.py:85-125: public linkify(text, ..., parse_email=False) constructs Linker(..., parse_email=parse_email) and calls linker.linkify(text).
- bleach/linkifier.py:77-88: EMAIL_RE is compiled from the dot-atom email pattern.
- bleach/linkifier.py:292-301: handle_email_addresses() applies self.email_re.finditer(text) to each character token.
- bleach/linkifier.py:620-623: character tokens are routed into email handling only when parse_email is true.
- docs/goals.rst:30-40: Bleach documents user comments, profile bios, and descriptions as target untrusted text use cases.
- docs/linkify.rst:300-305: parse_email=True is the documented option for creating mailto: links.
Attack Preconditions
- The consuming application enables the documented
parse_email=Trueoption, for examplebleach.linkify(user_text, parse_email=True)orLinker(parse_email=True).linkify(user_text). - The attacker can submit text that reaches that linkification path. Authentication depends on the host application; a public comment form would make this unauthenticated, while account-only text fields require user privileges.
- The application allows roughly 20-30 KB of text to reach Bleach and lacks a strict timeout or input cap before linkification.
- No custom bounded
email_reis supplied.
Reproduction
Minimal API trigger:
import bleach
payload = ("a." * 15000) + "a"
bleach.linkify(payload, parse_email=True)
The saved HTTP proof uses a local harness with POST /preview calling bleach.linkify(request_body, parse_email=True) and a control endpoint using parse_email=False on the same payload. The exploit sends baseline/control/attack requests over HTTP to 127.0.0.1.
Proof Evidence
The proof ran against Bleach 6.3.0 installed from the audited local checkout in an isolated temporary venv. It used Python 3.12.3 on Linux.
Measured HTTP proof results:
- Payload: ("a." * 15000) + "a" (30001 bytes)
- Normal baseline /preview mean: 0.001425 seconds
- Same 30 KB payload with parse_email=False: 0.048349 seconds
- Attack payload with parse_email=True: 8.719818 seconds
- Slowdown versus the larger baseline/control mean: 180.35x
- Requests sent by proof: 20
Evidence files: poc.py poc_results.json exploit_proof.py exploit_results.json
Scope and Limitations
- This report does not claim XSS, authentication bypass, data disclosure, remote code execution, persistent crash, or persistent service outage.
parse_email=Trueis not the default. The affected path is a documented opt-in feature.- The exact first affected version is not established.
- Practical impact depends on host application input limits, worker model, request timeout policy, and whether untrusted users can submit text to an email-linkification path.
- A reviewer reproduced the direct CPU cost but did not reproduce the proof harness’s
/healthdelay. The direct impact claim is therefore limited to per-request CPU exhaustion. - Bleach is marked deprecated in
README.rst, andSECURITY.mdhas stale supported-version text, but the package still has a 2025 PyPI release and published Mozilla security reporting routes.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bleach"
},
"versions": [
"6.3.0"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T14:07:30Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nBleach 6.3.0 exposes a documented email-linkification path through `bleach.linkify(..., parse_email=True)`. The implementation scans attacker-controlled text with `EMAIL_RE.finditer()` over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email regex. A non-email payload around 30 KB causes multi-second CPU consumption per request/call, creating a direct availability risk for applications that enable email linkification on user-submitted text.\n\n## Affected Product\n- Package: `bleach`\n- Ecosystem: pip\n- Affected versions: verified in `6.3.0`; exact first affected version not established\n- Patched versions: none known at finalization time\n- Tested version: `6.3.0`\n- Audit commit/tag: `v6.3.0` / `5546d5dbce60d08ccb99d981778d74044d646d4e`\n- PyPI sdist SHA256: `6f3b91b1c0a02bb9a78b5a454c92506aa0fdf197e1d5e114d2e00c6f64306d22`\n\n## Vulnerability Details\n- CWE: CWE-1333: Inefficient Regular Expression Complexity; related availability impact maps to CWE-400\n- Component: `bleach/linkifier.py`, `build_email_re()`, `LinkifyFilter.handle_email_addresses()`\n- Root cause: `handle_email_addresses()` calls `self.email_re.finditer(text)` on attacker-controlled text. `EMAIL_RE` includes a repeated dot-atom local-part pattern, so non-email strings such as repeated `a.` segments with no `@` force repeated long failing scans.\n- Security boundary violated: user-submitted text processed by a documented safe linkification helper should not allow an attacker to impose superlinear CPU cost through non-email text.\n- Direct impact: per-request CPU exhaustion / denial-of-service risk in applications that enable `parse_email=True` on attacker-controlled text.\n- Chain impact, if any: one proof run observed an unrelated `/health` request delayed during a concurrent attack request, but this was not reliable across reviewer retests. Treat cross-request service degradation as environment-dependent supporting evidence, not the primary impact.\n- Severity estimate: Medium / availability-only. The feature is opt-in and deployment body limits/timeouts affect practical severity.\n\nRelevant code path:\n- `bleach/__init__.py:85-125`: public `linkify(text, ..., parse_email=False)` constructs `Linker(..., parse_email=parse_email)` and calls `linker.linkify(text)`.\n- `bleach/linkifier.py:77-88`: `EMAIL_RE` is compiled from the dot-atom email pattern.\n- `bleach/linkifier.py:292-301`: `handle_email_addresses()` applies `self.email_re.finditer(text)` to each character token.\n- `bleach/linkifier.py:620-623`: character tokens are routed into email handling only when `parse_email` is true.\n- `docs/goals.rst:30-40`: Bleach documents user comments, profile bios, and descriptions as target untrusted text use cases.\n- `docs/linkify.rst:300-305`: `parse_email=True` is the documented option for creating `mailto:` links.\n\n## Attack Preconditions\n- The consuming application enables the documented `parse_email=True` option, for example `bleach.linkify(user_text, parse_email=True)` or `Linker(parse_email=True).linkify(user_text)`.\n- The attacker can submit text that reaches that linkification path. Authentication depends on the host application; a public comment form would make this unauthenticated, while account-only text fields require user privileges.\n- The application allows roughly 20-30 KB of text to reach Bleach and lacks a strict timeout or input cap before linkification.\n- No custom bounded `email_re` is supplied.\n\n## Reproduction\nMinimal API trigger:\n\n```python\nimport bleach\npayload = (\"a.\" * 15000) + \"a\"\nbleach.linkify(payload, parse_email=True)\n```\n\nThe saved HTTP proof uses a local harness with `POST /preview` calling `bleach.linkify(request_body, parse_email=True)` and a control endpoint using `parse_email=False` on the same payload. The exploit sends baseline/control/attack requests over HTTP to `127.0.0.1`.\n\n## Proof Evidence\nThe proof ran against Bleach `6.3.0` installed from the audited local checkout in an isolated temporary venv. It used Python `3.12.3` on Linux.\n\nMeasured HTTP proof results:\n- Payload: `(\"a.\" * 15000) + \"a\"` (`30001` bytes)\n- Normal baseline `/preview` mean: `0.001425` seconds\n- Same 30 KB payload with `parse_email=False`: `0.048349` seconds\n- Attack payload with `parse_email=True`: `8.719818` seconds\n- Slowdown versus the larger baseline/control mean: `180.35x`\n- Requests sent by proof: `20`\n\nEvidence files:\n[poc.py](https://github.com/user-attachments/files/27129729/poc.py)\n[poc_results.json](https://github.com/user-attachments/files/27129737/poc_results.json)\n[exploit_proof.py](https://github.com/user-attachments/files/27129751/exploit_proof.py)\n[exploit_results.json](https://github.com/user-attachments/files/27129752/exploit_results.json)\n\n## Scope and Limitations\n- This report does not claim XSS, authentication bypass, data disclosure, remote code execution, persistent crash, or persistent service outage.\n- `parse_email=True` is not the default. The affected path is a documented opt-in feature.\n- The exact first affected version is not established.\n- Practical impact depends on host application input limits, worker model, request timeout policy, and whether untrusted users can submit text to an email-linkification path.\n- A reviewer reproduced the direct CPU cost but did not reproduce the proof harness\u2019s `/health` delay. The direct impact claim is therefore limited to per-request CPU exhaustion.\n- Bleach is marked deprecated in `README.rst`, and `SECURITY.md` has stale supported-version text, but the package still has a 2025 PyPI release and published Mozilla security reporting routes.",
"id": "GHSA-g75f-g53v-794x",
"modified": "2026-06-16T14:07:30Z",
"published": "2026-06-16T14:07:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/bleach"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning"
}
GHSA-GPVJ-GP8C-C7P2
Vulnerability from github – Published: 2023-02-12 15:30 – Updated: 2026-02-03 17:53A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The name of the patch is 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "simple-markdown"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25103"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-14T01:02:08Z",
"nvd_published_at": "2023-02-12T15:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression complexity. The attack can be launched remotely. Upgrading to version 0.5.2 is able to address this issue. The name of the patch is 89797fef9abb4cab2fb76a335968266a92588816. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220639.",
"id": "GHSA-gpvj-gp8c-c7p2",
"modified": "2026-02-03T17:53:00Z",
"published": "2023-02-12T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25103"
},
{
"type": "WEB",
"url": "https://github.com/Khan/simple-markdown/issues/71"
},
{
"type": "WEB",
"url": "https://github.com/ariabuckles/simple-markdown/commit/89797fef9abb4cab2fb76a335968266a92588816"
},
{
"type": "PACKAGE",
"url": "https://github.com/ariabuckles/simple-markdown"
},
{
"type": "WEB",
"url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.5.2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SIMPLEMARKDOWN-460540"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.220639"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.220639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in simple-markdown"
}
GHSA-GQV6-F424-3G7H
Vulnerability from github – Published: 2024-02-16 09:30 – Updated: 2024-08-23 00:31An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.
{
"affected": [],
"aliases": [
"CVE-2023-51931"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-16T09:15:08Z",
"severity": "HIGH"
},
"details": "An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.",
"id": "GHSA-gqv6-f424-3g7h",
"modified": "2024-08-23T00:31:37Z",
"published": "2024-02-16T09:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51931"
},
{
"type": "WEB",
"url": "https://github.com/alanclarke/urlite/issues/61"
},
{
"type": "WEB",
"url": "https://gist.github.com/6en6ar/c792d8337b63f095cbda907e834cb4ba"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GWRP-82JW-P87Q
Vulnerability from github – Published: 2024-04-30 15:30 – Updated: 2024-07-03 18:37An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.
{
"affected": [],
"aliases": [
"CVE-2024-28716"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-30T15:15:52Z",
"severity": "HIGH"
},
"details": "An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.",
"id": "GHSA-gwrp-82jw-p87q",
"modified": "2024-07-03T18:37:40Z",
"published": "2024-04-30T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28716"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/solum/+bug/2047505"
},
{
"type": "WEB",
"url": "https://drive.google.com/file/d/11x-6CjWCyap8_W1JpVzun56HQkPNLtWT/view?usp=drive_link"
},
{
"type": "WEB",
"url": "https://gist.github.com/Fewword/f098d8d6375ac25e27b18c0e57be532f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.