Common Weakness Enumeration

CWE-185

Allowed-with-Review

Incorrect Regular Expression

Abstraction: Class · Status: Draft

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

70 vulnerabilities reference this CWE, most recent first.

GHSA-MPCW-3J5P-P99X

Vulnerability from github – Published: 2024-10-24 18:27 – Updated: 2024-10-24 18:27
VLAI
Summary
Butterfly's parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)
Details

Summary

Usage of the Butterfly.prototype.parseJSON or getJSON functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.

Since Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.

Details

The parseJSON function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling eval, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.

However, the regex is imperfect, as was discovered earlier by Mike Samuel; specifically, the "cleaner" can be tricked into treating part of the input as a string that the "evaluator" does not, because of a difference in interpretation regarding the the Unicode zero-width joiner character. Representing that character with a visible symbol, a malicious input looks like:

"\�\", Packages.java.lang.Runtime.getRuntime().exec('gnome-calculator')) // "

This is understood...

  • by JSON_cleaning_RE as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to eval.
  • by the eval function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.

The function call is evaluated, and a calculator is opened.

Possible mitigations and additional defenses could include:

  • Replacing the JSON implementation with Rhino's built-in implementation.
  • Dropping all JSON-related and JSONP-related code entirely.
  • Restricting the access the JavaScript controller code has to the rest of the system by using initSafeStandardObjects instead of initStandardObjects, using setClassShutter, and so on.

PoC

Change OpenRefine core controller.js to add a call to the vulnerable getJSON function:

diff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js
index 4ceba0676..1ce0936d2 100644
--- a/main/webapp/modules/core/MOD-INF/controller.js
+++ b/main/webapp/modules/core/MOD-INF/controller.js
@@ -631,0 +632,5 @@ function process(path, request, response) {
+    if (path == "getjsontest") {
+      butterfly.getJSON(request);
+      return true;
+    }
+

Then, restart OpenRefine and submit the malicious request. For example, the following bash command (with $' quoting) should do it:

curl -H 'Content-Type: application/json;charset=utf-8' --data $'"\\\u200d\\", Packages.java.lang.Runtime.getRuntime().exec(\'gnome-calculator\')) // "' http://localhost:3333/getjsontest

Impact

Any JavaScript controller that calls one of these functions is vulnerable to remote code execution.

OpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.openrefine.dependencies:butterfly"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:27:50Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nUsage of the `Butterfly.prototype.parseJSON` or `getJSON` functions on an attacker-controlled crafted input string allows the attacker to execute arbitrary JavaScript code on the server.\n\nSince Butterfly JavaScript code has access to Java classes, it can run arbitrary programs.\n\n### Details\n\nThe `parseJSON` function (edu/mit/simile/butterfly/Butterfly.js:64) works by calling `eval`, an approach that goes back to the original library by Crockford, before JSON was part of the ECMAScript language. It uses a regular expression to remove strings from the input, then checks that there are no unexpected characters in the non-string remainder.\n\nHowever, the regex is imperfect, as was [discovered earlier by Mike Samuel](https://dev.to/mikesamuel/2008-silently-securing-jsonparse-5cbb); specifically, the \"cleaner\" can be tricked into treating part of the input as a string that the \"evaluator\" does not, because of a difference in interpretation regarding the [the Unicode zero-width joiner character](https://unicode-explorer.com/c/200D). Representing that character with a visible symbol, a malicious input looks like:\n\n```js\n\"\\\ufffd\\\", Packages.java.lang.Runtime.getRuntime().exec(\u0027gnome-calculator\u0027)) // \"\n```\n\nThis is understood...\n\n* by `JSON_cleaning_RE` as a single string, and because it is a string it can be collapsed to nothing, which is not problematic, so the original input proceeds to `eval`.\n* by the `eval` function, which ignores zero-width joiners entirely, as a string containing a single escaped backslash, followed by a comma, then a function call, closing parenthesis, and finally a line comment.\n \nThe function call is evaluated, and a calculator is opened.\n\nPossible mitigations and additional defenses could include:\n\n* Replacing the JSON implementation with Rhino\u0027s built-in implementation.\n* Dropping all JSON-related and JSONP-related code entirely.\n* Restricting the access the JavaScript controller code has to the rest of the system by using `initSafeStandardObjects` instead of `initStandardObjects`, using `setClassShutter`, and so on.\n\n### PoC\n\nChange OpenRefine `core` `controller.js` to add a call to the vulnerable `getJSON` function:\n\n```diff\ndiff --git a/main/webapp/modules/core/MOD-INF/controller.js b/main/webapp/modules/core/MOD-INF/controller.js\nindex 4ceba0676..1ce0936d2 100644\n--- a/main/webapp/modules/core/MOD-INF/controller.js\n+++ b/main/webapp/modules/core/MOD-INF/controller.js\n@@ -631,0 +632,5 @@ function process(path, request, response) {\n+    if (path == \"getjsontest\") {\n+      butterfly.getJSON(request);\n+      return true;\n+    }\n+\n```\n\nThen, restart OpenRefine and submit the malicious request. For example, the following `bash` command (with $\u0027 quoting) should do it:\n\n```\ncurl -H \u0027Content-Type: application/json;charset=utf-8\u0027 --data $\u0027\"\\\\\\u200d\\\\\", Packages.java.lang.Runtime.getRuntime().exec(\\\u0027gnome-calculator\\\u0027)) // \"\u0027 http://localhost:3333/getjsontest\n```\n\n### Impact\n\nAny JavaScript controller that calls one of these functions is vulnerable to remote code execution.\n\nOpenRefine itself seems unaffected; both OpenRefine and jQuery have their own functions also called parseJSON and getJSON, but those are unrelated.",
  "id": "GHSA-mpcw-3j5p-p99x",
  "modified": "2024-10-24T18:27:50Z",
  "published": "2024-10-24T18:27:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-mpcw-3j5p-p99x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenRefine/simile-butterfly/commit/2ad1fa4cd8afe3c920c8e6e04fe7a7df5cf8294e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenRefine/simile-butterfly"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Butterfly\u0027s parseJSON, getJSON functions eval malicious input, leading to remote code execution (RCE)"
}

GHSA-MVF3-QJ92-4C7R

Vulnerability from github – Published: 2024-04-09 15:30 – Updated: 2025-02-07 21:30
VLAI
Details

An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component: 

Bitdefender Endpoint Security for Linux version 7.0.5.200089 Bitdefender Endpoint Security for  Windows version 7.9.9.380 GravityZone Control Center (On Premises) version 6.36.1

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-2223"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-697"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-09T13:15:33Z",
    "severity": "HIGH"
  },
  "details": "An Incorrect Regular Expression vulnerability in Bitdefender GravityZone Update Server allows an attacker to cause a Server Side Request Forgery and reconfigure the relay. This issue affects the following products that include the vulnerable component:\u00a0\n\nBitdefender Endpoint Security for Linux version 7.0.5.200089\nBitdefender Endpoint Security for\u00a0 Windows version 7.9.9.380\nGravityZone Control Center (On Premises) version 6.36.1",
  "id": "GHSA-mvf3-qj92-4c7r",
  "modified": "2025-02-07T21:30:51Z",
  "published": "2024-04-09T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2223"
    },
    {
      "type": "WEB",
      "url": "https://www.bitdefender.com/support/security-advisories/incorrect-regular-expression-in-gravityzone-update-server-va-11465"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PCCM-W2W7-V4P2

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:57
VLAI
Details

An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c does not restrict regular expression program size, leading to an overflow of the parsed syntax list size.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-12798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-13T17:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c does not restrict regular expression program size, leading to an overflow of the parsed syntax list size.",
  "id": "GHSA-pccm-w2w7-v4p2",
  "modified": "2024-04-04T00:57:18Z",
  "published": "2022-05-24T16:48:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12798"
    },
    {
      "type": "WEB",
      "url": "http://git.ghostscript.com/?p=mujs.git%3Bh=7f50591861525f76e3ec7a63392656ff8c030af9"
    },
    {
      "type": "WEB",
      "url": "http://git.ghostscript.com/?p=mujs.git;h=7f50591861525f76e3ec7a63392656ff8c030af9"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108774"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PRCQ-52F8-FP44

Vulnerability from github – Published: 2022-05-17 05:19 – Updated: 2024-09-05 21:32
VLAI
Summary
Apache Libcloud vulnerable to certificate impersonation
Details

Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "apache-libcloud"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-3446"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-20",
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-12T20:09:02Z",
    "nvd_published_at": "2012-11-04T22:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.",
  "id": "GHSA-prcq-52f8-fp44",
  "modified": "2024-09-05T21:32:21Z",
  "published": "2022-05-17T05:19:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3446"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/libcloud/commit/f2af5502dae3ac63e656dd1b7d5f29cc82ded401"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/libcloud"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-libcloud/PYSEC-2012-12.yaml"
    },
    {
      "type": "WEB",
      "url": "https://svn.apache.org/repos/asf/libcloud/trunk/CHANGES"
    },
    {
      "type": "WEB",
      "url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Libcloud vulnerable to certificate impersonation"
}

GHSA-PVFR-M224-2VM2

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2022-05-24 16:44
VLAI
Details

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11391"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-21T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with $a# at the beginning and nested repetition operators.",
  "id": "GHSA-pvfr-m224-2vm2",
  "modified": "2022-05-24T16:44:03Z",
  "published": "2022-05-24T16:44:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11391"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1357"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QCVW-82HH-GQ38

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2023-07-17 21:05
VLAI
Summary
Istio ReDoS Vulnerability
Details

Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "istio.io/istio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "istio.io/istio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-14993"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T21:05:13Z",
    "nvd_published_at": "2019-08-13T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.",
  "id": "GHSA-qcvw-82hh-gq38",
  "modified": "2023-07-17T21:05:13Z",
  "published": "2022-05-24T16:53:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14993"
    },
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/issues/7728"
    },
    {
      "type": "WEB",
      "url": "https://discuss.istio.io/t/upcoming-security-updates-in-istio-1-2-4-and-1-1-13/3383"
    },
    {
      "type": "WEB",
      "url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86164"
    },
    {
      "type": "WEB",
      "url": "https://istio.io/blog/2019/istio-security-003-004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Istio ReDoS Vulnerability"
}

GHSA-QVJC-G5VR-MFGR

Vulnerability from github – Published: 2020-09-04 18:03 – Updated: 2025-06-16 14:03
VLAI
Summary
Regular Expression Denial of Service in papaparse
Details

Versions of papaparse prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.

Recommendation

Upgrade to version 5.2.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "papaparse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:02:01Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 5.2.0 or later.",
  "id": "GHSA-qvjc-g5vr-mfgr",
  "modified": "2025-06-16T14:03:31Z",
  "published": "2020-09-04T18:03:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/issues/777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/pull/779"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mholt/PapaParse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/releases/tag/5.2.0"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-PAPAPARSE-564258"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.218004"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.218004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in papaparse"
}

GHSA-QW55-M3PM-VWHH

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2022-05-24 16:44
VLAI
Details

An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-21T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service (ReDOS) by entering a specially crafted string with set_error_handler# at the beginning and nested repetition operators.",
  "id": "GHSA-qw55-m3pm-vwhh",
  "modified": "2022-05-24T16:44:02Z",
  "published": "2022-05-24T16:44:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11390"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1372"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R28V-MW67-M5P9

Vulnerability from github – Published: 2019-01-04 17:50 – Updated: 2024-09-18 19:45
VLAI
Summary
Django denial-of-service possibility in urlize and urlizetrunc template filters
Details

An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0a1"
            },
            {
              "fixed": "2.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11a1"
            },
            {
              "fixed": "1.11.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8a1"
            },
            {
              "fixed": "1.8.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-7536"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:53:19Z",
    "nvd_published_at": "2018-03-09T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The `django.utils.html.urlize()` function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The `urlize()` function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable.",
  "id": "GHSA-r28v-mw67-m5p9",
  "modified": "2024-09-18T19:45:18Z",
  "published": "2019-01-04T17:50:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7536"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/1ca63a66ef3163149ad822701273e8a1844192c2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/e157315da3ae7005fa0683ffc9751dbeca7306c8"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2927"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0051"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0082"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0265"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-r28v-mw67-m5p9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2018-5.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3591-1"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200227131019/http://www.securityfocus.com/bid/103361"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4161"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2018/mar/06/security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django denial-of-service possibility in urlize and urlizetrunc template filters"
}

GHSA-R354-F388-2FHH

Vulnerability from github – Published: 2026-01-27 19:01 – Updated: 2026-01-29 03:39
VLAI
Summary
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
Details

Summary

IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.

Details

The vulnerability exists in two components:

  1. Permissive regex pattern: The IPV4_REGEX (/^[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}$/) accepts octet values greater than 255 (e.g., 999).
  2. Unsafe binary conversion: The convertIPv4ToBinary function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.

For example, the IP address 1.2.2.355 is accepted and converts to the same binary value as 1.2.3.99:

  • 355 = 256 + 99 = 0x163
  • After bit-shifting: (1 << 24) + (2 << 16) + (2 << 8) + 355 = 0x01020363 = 1.2.3.99

Impact

An attacker can bypass IP-based restrictions by crafting malformed IP addresses:

  • Blocklist bypass: If 1.2.3.0/24 is blocked, an attacker can use 1.2.2.355 (or similar) to bypass the restriction.
  • Allowlist bypass: Requests from unauthorized IP ranges may be incorrectly permitted.

This is exploitable when the application relies on client-provided IP addresses (e.g., X-Forwarded-For header) for access control decisions.

Affected Components

  • IP Restriction Middleware
  • src/utils/ipaddr.ts: IPV4_REGEX, convertIPv4ToBinary, distinctRemoteAddr
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-185"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T19:01:43Z",
    "nvd_published_at": "2026-01-27T19:16:16Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.\n\n## Details\n\nThe vulnerability exists in two components:\n\n1. **Permissive regex pattern:** The `IPV4_REGEX (/^[0-9]{0,3}\\.[0-9]{0,3}\\.[0-9]{0,3}\\.[0-9]{0,3}$/)` accepts octet values greater than 255 (e.g., `999`).\n2. **Unsafe binary conversion:** The `convertIPv4ToBinary` function does not validate octet ranges before performing bitwise operations. When an octet exceeds 255, it overflows into adjacent octets during the bit-shift calculation.\n\nFor example, the IP address `1.2.2.355` is accepted and converts to the same binary value as 1.2.3.99:\n\n* `355` = `256 + 99` = `0x163`\n* After bit-shifting: `(1 \u003c\u003c 24) + (2 \u003c\u003c 16) + (2 \u003c\u003c 8) + 355` = `0x01020363` = `1.2.3.99`\n\n## Impact\n\nAn attacker can bypass IP-based restrictions by crafting malformed IP addresses:\n\n* **Blocklist bypass:** If `1.2.3.0/24` is blocked, an attacker can use `1.2.2.355` (or similar) to bypass the restriction.\n* **Allowlist bypass:** Requests from unauthorized IP ranges may be incorrectly permitted.\n\nThis is exploitable when the application relies on client-provided IP addresses (e.g., `X-Forwarded-For header`) for access control decisions.\n\n## Affected Components\n\n* IP Restriction Middleware\n* `src/utils/ipaddr.ts`: `IPV4_REGEX`, `convertIPv4ToBinary`, `distinctRemoteAddr`",
  "id": "GHSA-r354-f388-2fhh",
  "modified": "2026-01-29T03:39:00Z",
  "published": "2026-01-27T19:01:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/hono"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/releases/tag/v4.11.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing"
}

Mitigation MIT-45
Implementation

Strategy: Refactoring

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-6: Argument Injection

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

CAPEC-79: Using Slashes in Alternate Encoding

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.