CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
724 vulnerabilities reference this CWE, most recent first.
GHSA-JJG7-2V4V-X38H
Vulnerability from github – Published: 2024-04-11 21:32 – Updated: 2025-11-05 20:10Impact
A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.
Patches
The function has been refined to reject such strings without the associated resource consumption in version 3.7.
Workarounds
Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
References
- https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "idna"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-3651"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-11T21:32:40Z",
"nvd_published_at": "2024-07-07T18:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb",
"id": "GHSA-jjg7-2v4v-x38h",
"modified": "2025-11-05T20:10:47Z",
"published": "2024-04-11T21:32:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"
},
{
"type": "WEB",
"url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d"
},
{
"type": "PACKAGE",
"url": "https://github.com/kjd/idna"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"
}
GHSA-JJHX-JHVP-74WQ
Vulnerability from github – Published: 2024-02-27 21:41 – Updated: 2024-03-01 23:30Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142.
Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1
Impact
Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 7-1-accept-redox.patch - Patch for 7.1 series
Credits
Thanks svalkanov for the report and patch!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-26142"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-02-27T21:41:09Z",
"nvd_published_at": "2024-02-27T16:15:46Z",
"severity": "LOW"
},
"details": "# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n\nThere is a possible ReDoS vulnerability in the Accept header parsing routines\nof Action Dispatch. This vulnerability has been assigned the CVE identifier\nCVE-2024-26142.\n\nVersions Affected: \u003e= 7.1.0, \u003c 7.1.3.1\nNot affected: \u003c 7.1.0\nFixed Versions: 7.1.3.1\n\nImpact\n------\nCarefully crafted Accept headers can cause Accept header parsing in Action\nDispatch to take an unexpected amount of time, possibly resulting in a DoS\nvulnerability. All users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby\n3.2 or newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 7-1-accept-redox.patch - Patch for 7.1 series\n\nCredits\n-------\nThanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!",
"id": "GHSA-jjhx-jhvp-74wq",
"modified": "2024-03-01T23:30:38Z",
"published": "2024-02-27T21:41:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26142"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch"
}
GHSA-JJPH-296X-MRCR
Vulnerability from github – Published: 2025-07-07 12:30 – Updated: 2025-07-08 16:38A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.51.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-3264"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-08T16:38:04Z",
"nvd_published_at": "2025-07-07T10:15:27Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.",
"id": "GHSA-jjph-296x-mrcr",
"modified": "2025-07-08T16:38:04Z",
"published": "2025-07-07T12:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3264"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Transformers vulnerable to ReDoS attack through its get_imports() function"
}
GHSA-JM96-7WVJ-J3R9
Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30A flaw was found in guardrails-detectors, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.
{
"affected": [],
"aliases": [
"CVE-2026-15154"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T20:16:48Z",
"severity": "MODERATE"
},
"details": "A flaw was found in `guardrails-detectors`, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.",
"id": "GHSA-jm96-7wvj-j3r9",
"modified": "2026-07-08T21:30:27Z",
"published": "2026-07-08T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15154"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-15154"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498188"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMP3-39VP-FWG8
Vulnerability from github – Published: 2024-07-11 13:21 – Updated: 2026-06-09 13:05Impact
A bug in Wagtail's parse_query_string would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parse_query_string would take an unexpectedly large amount of time to process, resulting in a denial of service.
In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string, it may be exploitable by other users (e.g. unauthenticated users).
Patches
Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.
This vulnerability affects all unpatched versions from Wagtail 2.0 onwards.
Workarounds
Site owners who are unable to upgrade to a patched version can limit the length of search terms passed to parse_query_string. Whilst the performance characteristics will depend on your hosting environment, 1000 characters has been shown to still be fairly fast, without triggering this vulnerability.
No workaround is available for the Wagtail admin usage.
Acknowledgements
Many thanks to Jake Howard for reporting this issue.
For more information
If you have any questions or comments about this advisory:
- Visit Wagtail's support channels
- Email us at security@wagtail.org (view our security policy for more information).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "6.0"
},
{
"fixed": "6.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "6.1"
},
{
"fixed": "6.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"fixed": "5.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39317"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-11T13:21:42Z",
"nvd_published_at": "2024-07-11T16:15:02Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA bug in Wagtail\u0027s [`parse_query_string`](https://docs.wagtail.org/en/stable/topics/search/searching.html#wagtailsearch-query-string-parsing) would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service.\n\nIn an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users).\n\n### Patches\n\nPatched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.\n\nThis vulnerability affects all unpatched versions from Wagtail 2.0 onwards.\n\n### Workarounds\n\nSite owners who are unable to upgrade to a patched version can limit the length of search terms passed to `parse_query_string`. Whilst the performance characteristics will depend on your hosting environment, 1000 characters has been shown to still be fairly fast, without triggering this vulnerability.\n\nNo workaround is available for the Wagtail admin usage.\n\n### Acknowledgements\n\nMany thanks to [Jake Howard](https://github.com/RealOrangeOne) for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
"id": "GHSA-jmp3-39vp-fwg8",
"modified": "2026-06-09T13:05:34Z",
"published": "2024-07-11T13:21:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39317"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/wagtail/wagtail"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Wagtail regular expression denial-of-service via search query parsing"
}
GHSA-JQGV-3CH9-C9QV
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression's susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.
{
"affected": [],
"aliases": [
"CVE-2024-8763"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T10:15:43Z",
"severity": "HIGH"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression\u0027s susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.",
"id": "GHSA-jqgv-3ch9-c9qv",
"modified": "2025-03-20T12:32:48Z",
"published": "2025-03-20T12:32:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8763"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/4fb63a6e-0056-4550-a34d-e161de1c13b8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JR9P-R423-9M2R
Vulnerability from github – Published: 2021-06-02 21:44 – Updated: 2024-09-30 20:15markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "markdown2"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.1.18"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26813"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-12T21:02:47Z",
"nvd_published_at": "2021-03-03T16:15:00Z",
"severity": "HIGH"
},
"details": "markdown2 \u003e=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.",
"id": "GHSA-jr9p-r423-9m2r",
"modified": "2024-09-30T20:15:06Z",
"published": "2021-06-02T21:44:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26813"
},
{
"type": "WEB",
"url": "https://github.com/trentm/python-markdown2/pull/387"
},
{
"type": "WEB",
"url": "https://github.com/trentm/python-markdown2/commit/7b651260739647de5198323e0445b1618750c374"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jr9p-r423-9m2r"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/markdown2/PYSEC-2021-20.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/trentm/python-markdown2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRP5RN35JZTSJ3JT4722F447ZDK7LZS5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J752422YELXLMLZJPVJVKD2KKHHQRVEH"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JTIX5UXRDJZJ57DO4V33ZNJTNKWGBQLY"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "markdown2 Regular Expression Denial of Service "
}
GHSA-JV4C-7JQQ-M34X
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2024-04-22 23:14It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ckeditor4-dev"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-26271"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T23:14:44Z",
"nvd_published_at": "2021-01-26T21:15:00Z",
"severity": "MODERATE"
},
"details": "It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).",
"id": "GHSA-jv4c-7jqq-m34x",
"modified": "2024-04-22T23:14:44Z",
"published": "2022-05-24T17:40:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26271"
},
{
"type": "PACKAGE",
"url": "https://github.com/ckeditor/ckeditor4"
},
{
"type": "WEB",
"url": "https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210128132707/https://ckeditor.com/blog/CKEditor-4.16-with-improved-image-pasting-High-Contrast-support-and-a-new-color-API/#security-comes-first"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CKEditor 4 ReDoS Vulnerability"
}
GHSA-JVXX-V45P-V5VF
Vulnerability from github – Published: 2022-06-23 06:45 – Updated: 2022-06-29 20:37Impact
Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.
Patches
It is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.
References
Full report: https://github.com/DIYgod/RSSHub/issues/10045
For more information
If you have any questions or comments about this advisory: * Open an issue in https://github.com/DIYgod/RSSHub/issues * Email us at i@diygod.me
Credits
@Rongronggg9
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "rsshub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31110"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-23T06:45:03Z",
"nvd_published_at": "2022-06-29T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nPassing some special values to the `filter` and `filterout` parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.\n\n### Patches\n\nIt is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to this or the later versions as soon as possible.\n\n### References\n\nFull report: https://github.com/DIYgod/RSSHub/issues/10045\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in \u003chttps://github.com/DIYgod/RSSHub/issues\u003e\n* Email us at [i@diygod.me](mailto:i@diygod.me)\n\n### Credits\n\n@Rongronggg9 \n",
"id": "GHSA-jvxx-v45p-v5vf",
"modified": "2022-06-29T20:37:27Z",
"published": "2022-06-23T06:45:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-jvxx-v45p-v5vf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31110"
},
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/issues/10045"
},
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/commit/4671720f4c5e1aaaad8fcc1dce684b6546baf2ff"
},
{
"type": "WEB",
"url": "https://github.com/DIYgod/RSSHub/commit/5c4177441417b44a6e45c3c63e9eac2504abeb5b"
},
{
"type": "PACKAGE",
"url": "https://github.com/DIYgod/RSSHub"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service (DoS) vulnerability in RSSHub"
}
GHSA-JXHC-Q857-3J6G
Vulnerability from github – Published: 2021-07-12 16:58 – Updated: 2026-04-06 23:12Impact
Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.
Patches
The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.
Workarounds
The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
References
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://cwe.mitre.org/data/definitions/1333.html
- https://www.regular-expressions.info/catastrophic.html
For more information
If you have any questions or comments about this advisory: * Open an issue
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.7.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "addressable"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-32740"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-07-06T15:25:32Z",
"nvd_published_at": "2021-07-06T15:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n\n### Patches\n\nThe vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.\n\n### Workarounds\n\nThe vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.\n\n### References\n\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://www.regular-expressions.info/catastrophic.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/sporkmonger/addressable/issues)",
"id": "GHSA-jxhc-q857-3j6g",
"modified": "2026-04-06T23:12:46Z",
"published": "2021-07-12T16:58:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/89c76130ce255c601f642a018cb5fb5a80e679a7"
},
{
"type": "WEB",
"url": "https://github.com/sporkmonger/addressable/commit/92685096b1f7235ed8986c03ce30a24972eed848#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/addressable/CVE-2021-32740.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sporkmonger/addressable"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Regular Expression Denial of Service in Addressable templates"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.