Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

724 vulnerabilities reference this CWE, most recent first.

GHSA-VP3X-9QPG-Q385

Vulnerability from github – Published: 2025-01-04 15:30 – Updated: 2025-01-04 15:30
VLAI
Details

IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41766"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-04T15:15:06Z",
    "severity": "HIGH"
  },
  "details": "IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3  could allow a remote attacker to cause a denial of service using a complex regular expression.",
  "id": "GHSA-vp3x-9qpg-q385",
  "modified": "2025-01-04T15:30:45Z",
  "published": "2025-01-04T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41766"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7180203"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP56-6G26-6827

Vulnerability from github – Published: 2022-08-02 00:00 – Updated: 2022-08-04 17:37
VLAI
Summary
node-fetch Inefficient Regular Expression Complexity
Details

node-fetch is a light-weight module that brings window.fetch to node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "node-fetch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-2596"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-04T17:37:24Z",
    "nvd_published_at": "2022-08-01T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `\u0027http://\u0027 + \u0027a.a.\u0027.repeat(i) + \u0027a\u0027`.",
  "id": "GHSA-vp56-6g26-6827",
  "modified": "2022-08-04T17:37:24Z",
  "published": "2022-08-02T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2596"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-fetch/node-fetch/pull/1611"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/node-fetch/node-fetch"
    },
    {
      "type": "WEB",
      "url": "https://github.com/node-fetch/node-fetch/releases/tag/v3.2.10"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "node-fetch Inefficient Regular Expression Complexity "
}

GHSA-VQC4-V8HC-H2JG

Vulnerability from github – Published: 2022-08-31 22:23 – Updated: 2022-09-08 14:11
VLAI
Summary
Polynomial regular expression used on uncontrolled data in nitrado.js
Details

Impact

Possible ReDoS with lib input of {{ and with many repetitions of {{|

Patches

Patched in all versions above 0.2.5

Workarounds

No known work arounds.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nitrado.js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-36034"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-31T22:23:39Z",
    "nvd_published_at": "2022-08-29T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nPossible ReDoS with lib input of `{{` and with many repetitions of `{{|`\n\n### Patches\nPatched in all versions above `0.2.5`\n\n### Workarounds\nNo known work arounds.\n\n### References\n- OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS)\n- Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n- Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n- James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf).\n- Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n- Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n\n\n",
  "id": "GHSA-vqc4-v8hc-h2jg",
  "modified": "2022-09-08T14:11:35Z",
  "published": "2022-08-31T22:23:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cainthebest/nitrado.js/security/advisories/GHSA-vqc4-v8hc-h2jg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36034"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cainthebest/nitrado.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cainthebest/nitrado.js/blob/v0.2.5/CHANGELOG.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Polynomial regular expression used on uncontrolled data in nitrado.js"
}

GHSA-VQHP-CXGC-6WMM

Vulnerability from github – Published: 2020-03-30 19:45 – Updated: 2025-03-20 18:49
VLAI
Summary
regular expression denial-of-service (ReDoS) in Bleach
Details

Impact

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).

Patches

3.1.4

Workarounds

  • do not whitelist the style attribute in bleach.clean calls

  • limit input string length

References

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1623633
  • https://www.regular-expressions.info/redos.html
  • https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817

Credits

  • Reported by schwag09 of r2c

For more information

If you have any questions or comments about this advisory:

  • Open an issue at https://github.com/mozilla/bleach/issues
  • Email us at security@mozilla.org
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "bleach"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-6817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-27T19:58:38Z",
    "nvd_published_at": "2023-02-16T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n`bleach.clean` behavior parsing style attributes could result in a regular expression denial of service (ReDoS).\n\nCalls to ``bleach.clean`` with an allowed tag with an allowed ``style`` attribute are vulnerable to ReDoS. For example, ``bleach.clean(..., attributes={\u0027a\u0027: [\u0027style\u0027]})``.\n\n### Patches\n\n3.1.4\n\n### Workarounds\n\n* do not whitelist the style attribute in `bleach.clean` calls\n\n* limit input string length\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=1623633\n* https://www.regular-expressions.info/redos.html\n* https://blog.r2c.dev/posts/finding-python-redos-bugs-at-scale-using-dlint-and-r2c/\n* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6817\n\n### Credits\n\n* Reported by schwag09 of r2c\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue at https://github.com/mozilla/bleach/issues\n* Email us at security@mozilla.org",
  "id": "GHSA-vqhp-cxgc-6wmm",
  "modified": "2025-03-20T18:49:18Z",
  "published": "2020-03-30T19:45:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6817"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1623633"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mozilla/bleach"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mozilla/bleach/releases/tag/v3.1.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/bleach/PYSEC-2020-340.yaml"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-PYTHON-BLEACH-561754"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "regular expression denial-of-service (ReDoS) in Bleach"
}

GHSA-VQPR-J7V3-HQW9

Vulnerability from github – Published: 2025-11-26 19:33 – Updated: 2025-11-26 19:33
VLAI
Summary
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
Details

Summary

The EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.

Details

The ReDoS vulnerability stems from "catastrophic backtracking" in the EMOJI_REGEX. This is caused by ambiguity in the regex pattern due to overlapping character classes.

Specifically, the class \p{Emoji_Presentation} overlaps with more specific classes used in the same alternation, such as [\u{1F1E6}-\u{1F1FF}] (regional indicator symbols used for flags) and \p{Emoji_Modifier_Base}.

When the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.

PoC

The following code demonstrates the vulnerability.

import * as v from 'valibot';

const schema = v.object({
  x: v.pipe(v.string(), v.emoji()),
});

const attackString = '\u{1F1E6}'.repeat(49) + '0';

console.log(`Input length: ${attackString.length}`);
console.log('Starting parse... (This will take a long time)');

// On my machine, a length of 99 takes approximately 2 minutes.
console.time();
try {
  v.parse(schema, {x: attackString });
} catch (e) {}
console.timeEnd();

Impact

Any project using Valibot's emoji validation on user-controllable input is vulnerable to a Denial of Service attack.

An attacker can block server resources (e.g., a web server's event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).

Recommended Fix

The root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads ((?!...)) to subtract the specific classes from the more general one.

The following modified EMOJI_REGEX applies this principle:

export const EMOJI_REGEX: RegExp =
  // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives
  /^(?:[\u{1F1E6}-\u{1F1FF}]{2}|\u{1F3F4}[\u{E0061}-\u{E007A}]{2}[\u{E0030}-\u{E0039}\u{E0061}-\u{E007A}]{1,3}\u{E007F}|(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation})(?:\u200D(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation}))*)+$/u;
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "valibot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.31.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-26T19:33:34Z",
    "nvd_published_at": "2025-11-26T02:15:49Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., \u003c100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.\n\n### Details\n\nThe ReDoS vulnerability stems from \"catastrophic backtracking\" in the `EMOJI_REGEX`. This is caused by ambiguity in the regex pattern due to overlapping character classes.\n\nSpecifically, the class `\\p{Emoji_Presentation}` overlaps with more specific classes used in the same alternation, such as `[\\u{1F1E6}-\\u{1F1FF}]` (regional indicator symbols used for flags) and `\\p{Emoji_Modifier_Base}`.\n\nWhen the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.\n\n### PoC\n\nThe following code demonstrates the vulnerability.\n\n```javascript\nimport * as v from \u0027valibot\u0027;\n\nconst schema = v.object({\n  x: v.pipe(v.string(), v.emoji()),\n});\n\nconst attackString = \u0027\\u{1F1E6}\u0027.repeat(49) + \u00270\u0027;\n\nconsole.log(`Input length: ${attackString.length}`);\nconsole.log(\u0027Starting parse... (This will take a long time)\u0027);\n\n// On my machine, a length of 99 takes approximately 2 minutes.\nconsole.time();\ntry {\n  v.parse(schema, {x: attackString });\n} catch (e) {}\nconsole.timeEnd();\n```\n\n### Impact\n\nAny project using Valibot\u0027s `emoji` validation on user-controllable input is vulnerable to a Denial of Service attack.\n\nAn attacker can block server resources (e.g., a web server\u0027s event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).\n\n### Recommended Fix\n\nThe root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads (`(?!...)`) to subtract the specific classes from the more general one.\n\nThe following modified `EMOJI_REGEX` applies this principle:\n\n```javascript\nexport const EMOJI_REGEX: RegExp =\n  // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives\n  /^(?:[\\u{1F1E6}-\\u{1F1FF}]{2}|\\u{1F3F4}[\\u{E0061}-\\u{E007A}]{2}[\\u{E0030}-\\u{E0039}\\u{E0061}-\\u{E007A}]{1,3}\\u{E007F}|(?:\\p{Emoji}\\uFE0F\\u20E3?|\\p{Emoji_Modifier_Base}\\p{Emoji_Modifier}?|(?![\\p{Emoji_Modifier_Base}\\u{1F1E6}-\\u{1F1FF}])\\p{Emoji_Presentation})(?:\\u200D(?:\\p{Emoji}\\uFE0F\\u20E3?|\\p{Emoji_Modifier_Base}\\p{Emoji_Modifier}?|(?![\\p{Emoji_Modifier_Base}\\u{1F1E6}-\\u{1F1FF}])\\p{Emoji_Presentation}))*)+$/u;\n```",
  "id": "GHSA-vqpr-j7v3-hqw9",
  "modified": "2025-11-26T19:33:34Z",
  "published": "2025-11-26T19:33:34Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66020"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-circle/valibot"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Valibot has a ReDoS vulnerability in `EMOJI_REGEX`"
}

GHSA-VVF2-PPJ9-PP49

Vulnerability from github – Published: 2021-09-20 20:42 – Updated: 2022-05-04 03:24
VLAI
Summary
Inefficient Regular Expression Complexity in vuelidate
Details

vuelidate is a simple, lightweight model-based validation for Vue.js 2.x & 3.0. A ReDoS (regular expression denial of service) flaw was found in the @vuelidate/validators package. An attacker that is able to provide crafted input to the url(input) function may cause an application to consume an excessive amount of CPU.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.0-alpha.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@vuelidate/validators"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-alpha.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3794"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400",
      "CWE-697"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-16T17:15:49Z",
    "nvd_published_at": "2021-09-15T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "vuelidate is a simple, lightweight model-based validation for Vue.js 2.x \u0026 3.0. A ReDoS (regular expression denial of service) flaw was found in the `@vuelidate/validators` package. An attacker that is able to provide crafted input to the url(input) function may cause an application to consume an excessive amount of CPU.",
  "id": "GHSA-vvf2-ppj9-pp49",
  "modified": "2022-05-04T03:24:54Z",
  "published": "2021-09-20T20:42:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3794"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vuelidate/vuelidate/commit/1f0ca31c30e5032f00dbd14c4791b5ee7928f71d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vuelidate/vuelidate"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/d8201b98-fb91-4c12-a6f7-181b4a20d9b7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in vuelidate"
}

GHSA-W455-MFQ9-HF74

Vulnerability from github – Published: 2024-10-26 21:30 – Updated: 2024-11-13 23:24
VLAI
Summary
insane vulnerable to Regular Expression Denial of Service
Details

insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "insane"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-28T14:40:03Z",
    "nvd_published_at": "2024-10-26T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.",
  "id": "GHSA-w455-mfq9-hf74",
  "modified": "2024-11-13T23:24:39Z",
  "published": "2024-10-26T21:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bevacqua/insane/issues/19"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bevacqua/insane"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2020-289-redos-insane"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "insane vulnerable to Regular Expression Denial of Service"
}

GHSA-W4PP-8PJF-RMXW

Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 15:32
VLAI
Details

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T07:16:19Z",
    "severity": "HIGH"
  },
  "details": "Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function\u2019s regex replacement and string-manipulation logic,  causing excessive CPU consumption and potentially stalling or crashing the process.",
  "id": "GHSA-w4pp-8pjf-rmxw",
  "modified": "2026-05-26T15:32:10Z",
  "published": "2026-05-26T13:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9496"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/pacote/blob/9d7459440826ab4cf962ef98d8f3fd0c4d464b5c/lib/util/add-git-sha.js%23L2C1-L13C2"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16874025"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-W596-4WVX-J9J6

Vulnerability from github – Published: 2022-10-16 12:00 – Updated: 2026-05-29 20:49
VLAI
Summary
Withdrawn Advisory: ReDoS in py library when used with subversion
Details

Withdrawn Advisory

This advisory has been withdrawn because evidence does not suggest that CVE-2022-42969 is a valid, reproducible vulnerability. This link is maintained to preserve external references.

Original Description

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "py"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-42969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-18T18:03:13Z",
    "nvd_published_at": "2022-10-16T06:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Withdrawn Advisory\nThis advisory has been withdrawn because evidence does not suggest that CVE-2022-42969 is a valid, reproducible vulnerability. This link is maintained to preserve external references.\n\n### Original Description\nThe py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.\n\nThe particular codepath in question is the regular expression at `py._path.svnurl.InfoSvnCommand.lspattern` and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version `7.2.0` which removes their dependency on `py`. Users of `pytest` seeing alerts relating to this advisory may update to version `7.2.0` of `pytest` to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.",
  "id": "GHSA-w596-4wvx-j9j6",
  "modified": "2026-05-29T20:49:54Z",
  "published": "2022-10-16T12:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytest-dev/py/issues/287"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytest-dev/py/issues/288"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytest-dev/pytest/issues/10392"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-w596-4wvx-j9j6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/py/PYSEC-2022-42969.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/py/PYSEC-2022-43183.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pytest-dev/py"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=34163710"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/py"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: ReDoS in py library when used with subversion ",
  "withdrawn": "2025-08-01T20:34:11Z"
}

GHSA-W6Q7-J642-7C25

Vulnerability from github – Published: 2025-05-28 17:49 – Updated: 2025-06-19 15:20
VLAI
Summary
vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`
Details

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable.

Details

The following regular expression is used to match tool/function call patterns:

r"\[([a-zA-Z]+\w*\(([a-zA-Z]+\w*=.*,\s*)*([a-zA-Z]+\w*=.*\s)?\),\s*)*([a-zA-Z]+\w*\(([a-zA-Z]+\w*=.*,\s*)*([a-zA-Z]+\w*=.*\s*)?\)\s*)+\]"

This pattern contains multiple nested quantifiers (*, +), optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking.

Attack Example: A malicious input such as

[A(A=   )A(A=,      )A(A=,      )A(A=,      )... (repeated dozens of times) ...]

or

"[A(A=" + "\t)A(A=,\t" * repeat

can cause the regular expression engine to consume CPU exponentially with the input length, effectively freezing or crashing the server (DoS).

Proof of Concept: A Python script demonstrates that matching such a crafted string with the above regex results in exponential time complexity. Even moderate input lengths can bring the system to a halt.

Length: 22, Time: 0.0000 seconds, Match: False
Length: 38, Time: 0.0010 seconds, Match: False
Length: 54, Time: 0.0250 seconds, Match: False
Length: 70, Time: 0.5185 seconds, Match: False
Length: 86, Time: 13.2703 seconds, Match: False
Length: 102, Time: 319.0717 seconds, Match: False

Impact

  • Denial of Service (DoS): An attacker can trigger a denial of service by sending specially crafted payloads to any API or interface that invokes this regex, causing excessive CPU usage and making the vLLM service unavailable.
  • Resource Exhaustion and Memory Retention: As this regex is invoked during function call parsing, the matching process may hold on to significant CPU and memory resources for extended periods (due to catastrophic backtracking). In the context of vLLM, this also means that the associated KV cache (used for model inference and typically stored in GPU memory) is not released in a timely manner. This can lead to GPU memory exhaustion, degraded throughput, and service instability.
  • Potential for Broader System Instability: Resource exhaustion from stuck or slow requests may cascade into broader system instability or service downtime if not mitigated.

Fix

  • https://github.com/vllm-project/vllm/pull/18454
  • Note that while this change has significantly improved performance, this regex may still be problematic. It has gone from exponential time complexity, O(2^N), to O(N^2).
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vllm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.6.4"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48887"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-28T17:49:33Z",
    "nvd_published_at": "2025-05-30T18:15:32Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA Regular Expression Denial of Service (ReDoS) vulnerability exists in the file [`vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py`](https://github.com/vllm-project/vllm/blob/main/vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py) of the vLLM project. The root cause is the use of a highly complex and nested regular expression for tool call detection, which can be exploited by an attacker to cause severe performance degradation or make the service unavailable.\n\n## Details\n\nThe following regular expression is used to match tool/function call patterns:\n```\nr\"\\[([a-zA-Z]+\\w*\\(([a-zA-Z]+\\w*=.*,\\s*)*([a-zA-Z]+\\w*=.*\\s)?\\),\\s*)*([a-zA-Z]+\\w*\\(([a-zA-Z]+\\w*=.*,\\s*)*([a-zA-Z]+\\w*=.*\\s*)?\\)\\s*)+\\]\"\n```\nThis pattern contains multiple nested quantifiers (`*`, `+`), optional groups, and inner repetitions which make it vulnerable to catastrophic backtracking.\n\n**Attack Example:**\nA malicious input such as  \n```\n[A(A=\t)A(A=,\t\t)A(A=,\t\t)A(A=,\t\t)... (repeated dozens of times) ...]\n\nor\n\n\"[A(A=\" + \"\\t)A(A=,\\t\" * repeat\n```\n\n\n\ncan cause the regular expression engine to consume CPU exponentially with the input length, effectively freezing or crashing the server (DoS).\n\n**Proof of Concept:**\nA Python script demonstrates that matching such a crafted string with the above regex results in exponential time complexity. Even moderate input lengths can bring the system to a halt.\n\n```\nLength: 22, Time: 0.0000 seconds, Match: False\nLength: 38, Time: 0.0010 seconds, Match: False\nLength: 54, Time: 0.0250 seconds, Match: False\nLength: 70, Time: 0.5185 seconds, Match: False\nLength: 86, Time: 13.2703 seconds, Match: False\nLength: 102, Time: 319.0717 seconds, Match: False\n```\n\n## Impact\n\n- **Denial of Service (DoS):** An attacker can trigger a denial of service by sending specially crafted payloads to any API or interface that invokes this regex, causing excessive CPU usage and making the vLLM service unavailable.\n- **Resource Exhaustion and Memory Retention:** As this regex is invoked during function call parsing, the matching process may hold on to significant CPU and memory resources for extended periods (due to catastrophic backtracking). In the context of vLLM, this also means that the associated KV cache (used for model inference and typically stored in GPU memory) is not released in a timely manner. This can lead to GPU memory exhaustion, degraded throughput, and service instability.\n- **Potential for Broader System Instability:** Resource exhaustion from stuck or slow requests may cascade into broader system instability or service downtime if not mitigated.\n\n## Fix\n\n* https://github.com/vllm-project/vllm/pull/18454\n* Note that while this change has significantly improved performance, this regex may still be problematic. It has gone from exponential time complexity, O(2^N), to O(N^2).",
  "id": "GHSA-w6q7-j642-7c25",
  "modified": "2025-06-19T15:20:25Z",
  "published": "2025-05-28T17:49:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-w6q7-j642-7c25"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48887"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/pull/18454"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vllm-project/vllm/commit/4fc1bf813ad80172c1db31264beaef7d93fe0601"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/vllm/PYSEC-2025-50.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vllm-project/vllm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.