Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

725 vulnerabilities reference this CWE, most recent first.

GHSA-JXHC-Q857-3J6G

Vulnerability from github – Published: 2021-07-12 16:58 – Updated: 2026-04-06 23:12
VLAI
Summary
Regular Expression Denial of Service in Addressable templates
Details

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

  • https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
  • https://cwe.mitre.org/data/definitions/1333.html
  • https://www.regular-expressions.info/catastrophic.html

For more information

If you have any questions or comments about this advisory: * Open an issue

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.7.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "addressable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-06T15:25:32Z",
    "nvd_published_at": "2021-07-06T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWithin the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.\n\n### Patches\n\nThe vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.\n\n### Workarounds\n\nThe vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.\n\n### References\n\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n- https://cwe.mitre.org/data/definitions/1333.html\n- https://www.regular-expressions.info/catastrophic.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* [Open an issue](https://github.com/sporkmonger/addressable/issues)",
  "id": "GHSA-jxhc-q857-3j6g",
  "modified": "2026-04-06T23:12:46Z",
  "published": "2021-07-12T16:58:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/security/advisories/GHSA-jxhc-q857-3j6g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32740"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/commit/0d8a3127e35886ce9284810a7f2438bff6b43cbc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/commit/89c76130ce255c601f642a018cb5fb5a80e679a7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sporkmonger/addressable/commit/92685096b1f7235ed8986c03ce30a24972eed848#diff-fb36d3dc67e6565ffde17e666a98697f48e76dac38fabf1bb9e97cdf3b583d76"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jxhc-q857-3j6g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/addressable/CVE-2021-32740.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sporkmonger/addressable"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SDFQM2NHNAZ3NNUQZEJTYECYZYXV4UDS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WYPVOOQU7UB277UUERJMCNQLRCXRCIQ5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in Addressable templates"
}

GHSA-M2H2-264F-F486

Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2025-11-03 22:29
VLAI
Summary
angular vulnerable to regular expression denial of service (ReDoS)
Details

AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.

Note: 1. This package has been deprecated and is no longer maintained. 2. The vulnerable versions are 1.7.0 and higher.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "angular"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-04T20:12:02Z",
    "nvd_published_at": "2022-05-01T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: \u0027 \u0027.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value.\n\n**Note:**\n1. This package has been deprecated and is no longer maintained.\n2. The vulnerable versions are 1.7.0 and higher.",
  "id": "GHSA-m2h2-264f-f486",
  "modified": "2025-11-03T22:29:05Z",
  "published": "2022-05-03T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25844"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/angular/angular.js"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WUSPYOTOMAZPDEFPWPSCSPMNODRDKK3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7LNAKCNTVBIHWAUT3FKWV5N67PQXSZOO"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220629-0009"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2772736"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBANGULAR-2772738"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2772737"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735"
    },
    {
      "type": "WEB",
      "url": "https://stackblitz.com/edit/angularjs-material-blank-zvtdvb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "angular vulnerable to regular expression denial of service (ReDoS)"
}

GHSA-M3F4-957X-M785

Vulnerability from github – Published: 2024-02-12 21:30 – Updated: 2024-03-01 14:41
VLAI
Summary
lambda-middleware Inefficient Regular Expression Complexity vulnerability
Details

A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type Handler. The manipulation leads to inefficient regular expression complexity. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as f689404d830cbc1edd6a1018d3334ff5f44dc6a6. It is recommended to upgrade the affected component. VDB-253406 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@lambda-middleware/json-deserializer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-12T22:39:30Z",
    "nvd_published_at": "2024-02-12T20:15:07Z",
    "severity": "LOW"
  },
  "details": "A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type Handler. The manipulation leads to inefficient regular expression complexity. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as f689404d830cbc1edd6a1018d3334ff5f44dc6a6. It is recommended to upgrade the affected component. VDB-253406 is the identifier assigned to this vulnerability.",
  "id": "GHSA-m3f4-957x-m785",
  "modified": "2024-03-01T14:41:48Z",
  "published": "2024-02-12T21:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbartholomae/lambda-middleware/pull/57"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbartholomae/lambda-middleware/commit/f689404d830cbc1edd6a1018d3334ff5f44dc6a6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dbartholomae/lambda-middleware"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbartholomae/lambda-middleware/releases/tag/%40lambda-middleware%2Fframeguard_v1.1.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dbartholomae/lambda-middleware/releases/tag/@lambda-middleware/frameguard_v1.1.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.253406"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.253406"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "lambda-middleware Inefficient Regular Expression Complexity vulnerability"
}

GHSA-M489-XR35-FJXR

Vulnerability from github – Published: 2021-09-22 20:35 – Updated: 2021-09-22 20:34
VLAI
Summary
Regular Expression Denial of Service in millisecond
Details

Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of concept

var ms = require('millisecond');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Recommendation

Update to version 0.1.2 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "millisecond"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-22T20:34:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `millisecond` prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n\n## Proof of concept\n```\nvar ms = require(\u0027millisecond\u0027);\nvar genstr = function (len, chr) {\n   var result = \"\";\n   for (i=0; i\u003c=len; i++) {\n       result = result + chr;\n   }\n\n   return result;\n}\n\nms(genstr(process.argv[2], \"5\") + \" minutea\");\n```\n\n\n## Recommendation\n\nUpdate to version 0.1.2 or later.",
  "id": "GHSA-m489-xr35-fjxr",
  "modified": "2021-09-22T20:34:42Z",
  "published": "2021-09-22T20:35:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/unshiftio/millisecond/pull/4"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/59"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Regular Expression Denial of Service in millisecond"
}

GHSA-M5PQ-GVJ9-9VR8

Vulnerability from github – Published: 2022-03-08 20:00 – Updated: 2022-08-11 20:38
VLAI
Summary
Rust's regex crate vulnerable to regular expression denial of service
Details

This is a cross-post of the official security advisory. The official advisory contains a signed version with our PGP key, as well.

The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.

This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.

Overview

The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.

Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.

Affected versions

All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5.

Mitigations

We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the regex crate.

Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.

Acknowledgements

We want to thank Addison Crump for responsibly disclosing this to us according to the Rust security policy, and for helping review the fix.

We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "regex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-08T20:00:36Z",
    "nvd_published_at": "2022-03-08T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n\n## Overview\n\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it\u0027s considered part of the crate\u0027s API.\n\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it\u0027s possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n\n## Affected versions\n\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from  `regex` 1.5.5.\n\n## Mitigations\n\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n\n## Acknowledgements\n\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.",
  "id": "GHSA-m5pq-gvj9-9vr8",
  "modified": "2022-08-11T20:38:52Z",
  "published": "2022-03-08T20:00:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rust-lang/regex"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2022-0013.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-08"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-14"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5113"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5118"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rust\u0027s regex crate vulnerable to regular expression denial of service"
}

GHSA-M95Q-7QP3-XV42

Vulnerability from github – Published: 2023-09-28 21:30 – Updated: 2024-09-06 19:11
VLAI
Summary
Zod denial of service vulnerability
Details

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.22.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "zod"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.22.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-02T16:26:26Z",
    "nvd_published_at": "2023-09-28T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.",
  "id": "GHSA-m95q-7qp3-xv42",
  "modified": "2024-09-06T19:11:37Z",
  "published": "2023-09-28T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4316"
    },
    {
      "type": "WEB",
      "url": "https://github.com/colinhacks/zod/issues/2609"
    },
    {
      "type": "WEB",
      "url": "https://github.com/colinhacks/zod/pull/2824"
    },
    {
      "type": "WEB",
      "url": "https://github.com/colinhacks/zod/commit/2ba00fe2377f4d53947a84b8cdb314a63bbd6dd4"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/swift"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/colinhacks/zod"
    },
    {
      "type": "WEB",
      "url": "https://github.com/colinhacks/zod/releases/tag/v3.22.3"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/zod"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zod denial of service vulnerability"
}

GHSA-M99Q-R6R6-WXX3

Vulnerability from github – Published: 2024-08-08 12:30 – Updated: 2024-08-08 12:30
VLAI
Details

An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3114"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-08T11:15:12Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server.",
  "id": "GHSA-m99q-r6r6-wxx3",
  "modified": "2024-08-08T12:30:35Z",
  "published": "2024-08-08T12:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3114"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2416630"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/452547"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MF3J-86QX-CQ5J

Vulnerability from github – Published: 2026-03-10 00:57 – Updated: 2026-03-10 18:44
VLAI
Summary
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Details

Impact

A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps.

This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.

Patches

Regex evaluation in LiveQuery subscription matching now runs in an isolated VM context with a configurable timeout via a new Parse Server option `liveQuery.regexTimeout, with defaults 100 ms. A regex that exceeds the timeout is treated as non-matching.

The protection adds approximately 50 microseconds of overhead per regex evaluation. For most applications this is negligible, but it can add up if there is a very large number of LiveQuery subscriptions that use $regex on the same class. For example, 10,000 concurrent regex subscriptions would add approximately 500ms of processing time per object save event on that class. Set liveQuery.regexTimeout: 0 to disable the protection and use native regex evaluation without overhead.

Workarounds

Use the beforeSubscribe Cloud Code hook to reject any LiveQuery subscription that contains a $regex operator. Note that this also blocks the LiveQuery startsWith, endsWith, and contains query methods, as they use $regex internally.

// Repeat for each class that is used with LiveQuery
Parse.Cloud.beforeSubscribe('MyClass', request => {
  const where = request.query._where || {};
  for (const value of Object.values(where)) {
    if (value?.$regex) {
      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, '$regex not allowed in LiveQuery subscriptions');
    }
  }
});

References

  • GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j
  • Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14
  • Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.11
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0-alpha.1"
            },
            {
              "fixed": "9.5.0-alpha.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "parse-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.6.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T00:57:18Z",
    "nvd_published_at": "2026-03-10T17:40:16Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps.\n\nThis only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.\n\n### Patches\n\nRegex evaluation in LiveQuery subscription matching now runs in an isolated VM context with a configurable timeout via a new Parse Server option `liveQuery.regexTimeout, with defaults 100 ms. A regex that exceeds the timeout is treated as non-matching.\n\nThe protection adds approximately 50 microseconds of overhead per regex evaluation. For most applications this is negligible, but it can add up if there is a very large number of LiveQuery subscriptions that use `$regex` on the same class. For example, 10,000 concurrent regex subscriptions would add approximately 500ms of processing time per object save event on that class. Set `liveQuery.regexTimeout: 0` to disable the protection and use native regex evaluation without overhead.\n\n### Workarounds\n\nUse the `beforeSubscribe` Cloud Code hook to reject any LiveQuery subscription that contains a `$regex` operator. Note that this also blocks the LiveQuery `startsWith`, `endsWith`, and `contains` query methods, as they use `$regex` internally.\n\n```js\n// Repeat for each class that is used with LiveQuery\nParse.Cloud.beforeSubscribe(\u0027MyClass\u0027, request =\u003e {\n  const where = request.query._where || {};\n  for (const value of Object.values(where)) {\n    if (value?.$regex) {\n      throw new Parse.Error(Parse.Error.OPERATION_FORBIDDEN, \u0027$regex not allowed in LiveQuery subscriptions\u0027);\n    }\n  }\n});\n```\n\n### References\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.11",
  "id": "GHSA-mf3j-86qx-cq5j",
  "modified": "2026-03-10T18:44:28Z",
  "published": "2026-03-10T00:57:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mf3j-86qx-cq5j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30925"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/parse-community/parse-server"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/8.6.11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parse-community/parse-server/releases/tag/9.5.0-alpha.14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery"
}

GHSA-MGFV-M47X-4WQP

Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2025-09-03 15:17
VLAI
Summary
useragent Regular Expression Denial of Service vulnerability
Details

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

PoC

async function exploit() {
   const useragent = require(\"useragent\");

   // Create a malicious user-agent that leads to excessive backtracking
   const maliciousUserAgent = 'Mozilla/5.0 (' + 'X'.repeat(30000) + ') Gecko/20100101 Firefox/77.0';

   // Parse the malicious user-agent
   const agent = useragent.parse(maliciousUserAgent);

   // Call the toString method to trigger the vulnerability
   const result = await agent.device.toString();
   console.log(result);
}

await exploit();
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "useragent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-28T15:01:50Z",
    "nvd_published_at": "2024-10-26T21:15:14Z",
    "severity": "MODERATE"
  },
  "details": "Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).\n\n## PoC\n```js\nasync function exploit() {\n   const useragent = require(\\\"useragent\\\");\n\n   // Create a malicious user-agent that leads to excessive backtracking\n   const maliciousUserAgent = \u0027Mozilla/5.0 (\u0027 + \u0027X\u0027.repeat(30000) + \u0027) Gecko/20100101 Firefox/77.0\u0027;\n\n   // Parse the malicious user-agent\n   const agent = useragent.parse(maliciousUserAgent);\n\n   // Call the toString method to trigger the vulnerability\n   const result = await agent.device.toString();\n   console.log(result);\n}\n\nawait exploit();\n```",
  "id": "GHSA-mgfv-m47x-4wqp",
  "modified": "2025-09-03T15:17:53Z",
  "published": "2024-10-26T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3rd-Eden/useragent/issues/167"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3rd-Eden/useragent/commit/4c3ee79358bea72d88fe78ac98f4f861db40b89b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/3rd-Eden/useragent"
    },
    {
      "type": "WEB",
      "url": "https://github.com/3rd-Eden/useragent/blob/ffa906f923183c85fbb9e6c90f19345e2bd3c52a/lib/regexps.js#L5568"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-312-redos-useragent"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "useragent Regular Expression Denial of Service vulnerability"
}

GHSA-MHWM-JH88-3GJF

Vulnerability from github – Published: 2025-03-03 22:05 – Updated: 2025-11-04 00:32
VLAI
Summary
CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
Details

There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.

Details

The regular expression used in CGI::Util#escapeElement is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.

This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

Credits

Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cgi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cgi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.6"
            },
            {
              "fixed": "0.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.3.6"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "cgi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.4.0"
            },
            {
              "fixed": "0.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27220"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-03T22:05:08Z",
    "nvd_published_at": "2025-03-04T00:15:31Z",
    "severity": "MODERATE"
  },
  "details": "There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.\n\n## Details\n\nThe regular expression used in `CGI::Util#escapeElement` is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.\n\nThis vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.\n\n## Affected versions\n\ncgi gem versions \u003c= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.\n\n## Credits\n\nThanks to svalkanov for discovering this issue.\nAlso thanks to nobu for fixing this vulnerability.",
  "id": "GHSA-mhwm-jh88-3gjf",
  "modified": "2025-11-04T00:32:21Z",
  "published": "2025-03-03T22:05:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27220"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/cgi/pull/52"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/cgi/pull/53"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/cgi/pull/54"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2890322"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/cgi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27220"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.