Common Weakness Enumeration
CWE-407
Allowed-with-ReviewInefficient Algorithmic Complexity
Abstraction: Class · Status: Incomplete
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
193 vulnerabilities reference this CWE, most recent first.
CVE-2026-59928 (GCVE-0-2026-59928)
Vulnerability from cvelistv5 – Published: 2026-07-08 16:23 – Updated: 2026-07-08 19:40
VLAI
EPSS
VEX
Title
Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions
Summary
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lepture/mistune/security/advis… | x_refsource_CONFIRM |
| https://github.com/lepture/mistune/commit/2b04d7b… | x_refsource_MISC |
| https://github.com/lepture/mistune/releases/tag/v3.3.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59928",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T17:46:13.539153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:40:43.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mistune",
"vendor": "lepture",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T16:23:21.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-ffq3-xpv3-j92q"
},
{
"name": "https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/commit/2b04d7ba341c16ac78fe82d3076bdd5c3de87c69"
},
{
"name": "https://github.com/lepture/mistune/releases/tag/v3.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/releases/tag/v3.3.0"
}
],
"source": {
"advisory": "GHSA-ffq3-xpv3-j92q",
"discovery": "UNKNOWN"
},
"title": "Mistune block_parser: quadratic-time parsing on long lists of repeated reference-link definitions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59928",
"datePublished": "2026-07-08T16:23:21.000Z",
"dateReserved": "2026-07-07T18:20:06.126Z",
"dateUpdated": "2026-07-08T19:40:43.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59925 (GCVE-0-2026-59925)
Vulnerability from cvelistv5 – Published: 2026-07-08 16:18 – Updated: 2026-07-08 19:44
VLAI
EPSS
VEX
Title
inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs
Summary
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lepture/mistune/security/advis… | x_refsource_CONFIRM |
| https://github.com/lepture/mistune/commit/5de41fb… | x_refsource_MISC |
| https://github.com/lepture/mistune/releases/tag/v3.3.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59925",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T19:44:41.353822Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T19:44:48.084Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mistune",
"vendor": "lepture",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T16:18:43.786Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lepture/mistune/security/advisories/GHSA-4j32-57v6-6g45",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-4j32-57v6-6g45"
},
{
"name": "https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f"
},
{
"name": "https://github.com/lepture/mistune/releases/tag/v3.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/releases/tag/v3.3.0"
}
],
"source": {
"advisory": "GHSA-4j32-57v6-6g45",
"discovery": "UNKNOWN"
},
"title": "inline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59925",
"datePublished": "2026-07-08T16:18:43.786Z",
"dateReserved": "2026-07-07T18:20:06.126Z",
"dateUpdated": "2026-07-08T19:44:48.084Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59922 (GCVE-0-2026-59922)
Vulnerability from cvelistv5 – Published: 2026-07-08 16:12 – Updated: 2026-07-09 14:40
VLAI
EPSS
VEX
Title
Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)
Summary
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/lepture/mistune/security/advis… | x_refsource_CONFIRM |
| https://github.com/lepture/mistune/commit/96d0f57… | x_refsource_MISC |
| https://github.com/lepture/mistune/releases/tag/v3.3.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59922",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:39:49.792478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:40:22.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mistune",
"vendor": "lepture",
"versions": [
{
"status": "affected",
"version": "\u003c 3.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T16:12:00.545Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-c8j7-8cv4-2xmq"
},
{
"name": "https://github.com/lepture/mistune/commit/96d0f57f8fe9eeb06bb4cff521962a27d7c402e7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/commit/96d0f57f8fe9eeb06bb4cff521962a27d7c402e7"
},
{
"name": "https://github.com/lepture/mistune/releases/tag/v3.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/lepture/mistune/releases/tag/v3.3.0"
}
],
"source": {
"advisory": "GHSA-c8j7-8cv4-2xmq",
"discovery": "UNKNOWN"
},
"title": "Mistune plugins/formatting: quadratic-time parsing on long runs of `~~x~~`, `==x==`, and `^^x^^` markers (strikethrough / mark / insert)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59922",
"datePublished": "2026-07-08T16:12:00.545Z",
"dateReserved": "2026-07-07T18:20:06.125Z",
"dateUpdated": "2026-07-09T14:40:22.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59887 (GCVE-0-2026-59887)
Vulnerability from cvelistv5 – Published: 2026-07-08 15:58 – Updated: 2026-07-09 14:41
VLAI
EPSS
VEX
Title
linkify-it: Quadratic-complexity DoS via the `mailto:` validator scan-loop on attacker text
Summary
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/markdown-it/linkify-it/securit… | x_refsource_CONFIRM |
| https://github.com/markdown-it/linkify-it/commit/… | x_refsource_MISC |
| https://github.com/markdown-it/linkify-it/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| markdown-it | linkify-it |
Affected:
< 5.0.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59887",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T14:40:56.927532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T14:41:02.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/markdown-it/linkify-it/security/advisories/GHSA-v245-v573-v5vm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "linkify-it",
"vendor": "markdown-it",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:58:12.114Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/markdown-it/linkify-it/security/advisories/GHSA-v245-v573-v5vm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/markdown-it/linkify-it/security/advisories/GHSA-v245-v573-v5vm"
},
{
"name": "https://github.com/markdown-it/linkify-it/commit/105e5d77f7d119871d2b2d86ed208568eb3e7ffe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/markdown-it/linkify-it/commit/105e5d77f7d119871d2b2d86ed208568eb3e7ffe"
},
{
"name": "https://github.com/markdown-it/linkify-it/releases/tag/5.0.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/markdown-it/linkify-it/releases/tag/5.0.2"
}
],
"source": {
"advisory": "GHSA-v245-v573-v5vm",
"discovery": "UNKNOWN"
},
"title": "linkify-it: Quadratic-complexity DoS via the `mailto:` validator scan-loop on attacker text"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59887",
"datePublished": "2026-07-08T15:58:12.114Z",
"dateReserved": "2026-07-07T16:40:07.983Z",
"dateUpdated": "2026-07-09T14:41:02.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59885 (GCVE-0-2026-59885)
Vulnerability from cvelistv5 – Published: 2026-07-14 16:40 – Updated: 2026-07-14 17:32
VLAI
EPSS
VEX
Title
pyasn1: Quadratic complexity in OBJECT IDENTIFIER and RELATIVE-OID processing allows denial of service
Summary
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER, CER, and DER decoders process OBJECT IDENTIFIER and RELATIVE-OID values in quadratic time relative to the number of arcs, so a small crafted payload containing an OID with many arcs consumes excessive CPU per decode() call and can deny service to applications that decode untrusted ASN.1 data. The corresponding encoders have the same quadratic behavior when an application re-encodes previously decoded attacker-supplied values. This issue is fixed in version 0.6.4.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/pyasn1/pyasn1/security/advisor… | x_refsource_CONFIRM |
| https://github.com/pyasn1/pyasn1/commit/45bdb19eb… | x_refsource_MISC |
| https://github.com/pyasn1/pyasn1/releases/tag/v0.6.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59885",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T17:32:32.986793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T17:32:43.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyasn1",
"vendor": "pyasn1",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.4, the BER, CER, and DER decoders process OBJECT IDENTIFIER and RELATIVE-OID values in quadratic time relative to the number of arcs, so a small crafted payload containing an OID with many arcs consumes excessive CPU per decode() call and can deny service to applications that decode untrusted ASN.1 data. The corresponding encoders have the same quadratic behavior when an application re-encodes previously decoded attacker-supplied values. This issue is fixed in version 0.6.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T16:40:00.515Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-8ppf-4f7h-5ppj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-8ppf-4f7h-5ppj"
},
{
"name": "https://github.com/pyasn1/pyasn1/commit/45bdb19eb7df4b3780fe9c912c63e99bffc39dd9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyasn1/pyasn1/commit/45bdb19eb7df4b3780fe9c912c63e99bffc39dd9"
},
{
"name": "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pyasn1/pyasn1/releases/tag/v0.6.4"
}
],
"source": {
"advisory": "GHSA-8ppf-4f7h-5ppj",
"discovery": "UNKNOWN"
},
"title": "pyasn1: Quadratic complexity in OBJECT IDENTIFIER and RELATIVE-OID processing allows denial of service"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59885",
"datePublished": "2026-07-14T16:40:00.515Z",
"dateReserved": "2026-07-07T16:40:07.983Z",
"dateUpdated": "2026-07-14T17:32:43.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59880 (GCVE-0-2026-59880)
Vulnerability from cvelistv5 – Published: 2026-07-08 15:44 – Updated: 2026-07-08 16:13
VLAI
EPSS
VEX
Title
Immutable.js: Hash-collision algorithmic complexity denial of service in Immutable.Map/Set
Summary
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/immutable-js/immutable-js/secu… | x_refsource_CONFIRM |
| https://github.com/immutable-js/immutable-js/comm… | x_refsource_MISC |
| https://github.com/immutable-js/immutable-js/comm… | x_refsource_MISC |
| https://github.com/immutable-js/immutable-js/rele… | x_refsource_MISC |
| https://github.com/immutable-js/immutable-js/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| immutable-js | immutable-js |
Affected:
< 4.3.9
Affected: >= 5.0.0-beta.1, < 5.1.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59880",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T16:13:29.483011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T16:13:46.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "immutable-js",
"vendor": "immutable-js",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.9"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-beta.1, \u003c 5.1.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:44:23.414Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/immutable-js/immutable-js/security/advisories/GHSA-xvcm-6775-5m9r"
},
{
"name": "https://github.com/immutable-js/immutable-js/commit/3dd7e5655012597a41873e328bf9142a8901527b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/immutable-js/immutable-js/commit/3dd7e5655012597a41873e328bf9142a8901527b"
},
{
"name": "https://github.com/immutable-js/immutable-js/commit/e51d49fc612ded5ec4dfb94ff294d22074269b0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/immutable-js/immutable-js/commit/e51d49fc612ded5ec4dfb94ff294d22074269b0f"
},
{
"name": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/immutable-js/immutable-js/releases/tag/v4.3.9"
},
{
"name": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/immutable-js/immutable-js/releases/tag/v5.1.8"
}
],
"source": {
"advisory": "GHSA-xvcm-6775-5m9r",
"discovery": "UNKNOWN"
},
"title": "Immutable.js: Hash-collision algorithmic complexity denial of service in Immutable.Map/Set"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59880",
"datePublished": "2026-07-08T15:44:23.414Z",
"dateReserved": "2026-07-07T16:40:07.982Z",
"dateUpdated": "2026-07-08T16:13:46.106Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59870 (GCVE-0-2026-59870)
Vulnerability from cvelistv5 – Published: 2026-07-08 15:13 – Updated: 2026-07-08 15:50
VLAI
EPSS
VEX
Title
js-yaml quadratic-complexity denial of service via YAML11_SCHEMA !!omap parsing
Summary
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nodeca/js-yaml/security/adviso… | x_refsource_CONFIRM |
| https://github.com/nodeca/js-yaml/commit/39f3211a… | x_refsource_MISC |
| https://github.com/nodeca/js-yaml/releases/tag/5.2.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59870",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T15:50:31.265965Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:50:55.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-724g-mxrg-4qvm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-yaml",
"vendor": "nodeca",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.1, YAML11_SCHEMA support for the !!omap tag in src/tag/sequence/omap.ts uses omapTag.addItem() to perform a linear duplicate-key scan on every insertion, causing O(n^2) CPU consumption when yaml.load() parses a crafted ordered-map document. This issue is fixed in version 5.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:13:20.308Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-724g-mxrg-4qvm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-724g-mxrg-4qvm"
},
{
"name": "https://github.com/nodeca/js-yaml/commit/39f3211a2f01b3c6982710cf21434ab7060acefe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/commit/39f3211a2f01b3c6982710cf21434ab7060acefe"
},
{
"name": "https://github.com/nodeca/js-yaml/releases/tag/5.2.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/releases/tag/5.2.1"
}
],
"source": {
"advisory": "GHSA-724g-mxrg-4qvm",
"discovery": "UNKNOWN"
},
"title": "js-yaml quadratic-complexity denial of service via YAML11_SCHEMA !!omap parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59870",
"datePublished": "2026-07-08T15:13:20.308Z",
"dateReserved": "2026-07-07T15:41:53.607Z",
"dateUpdated": "2026-07-08T15:50:55.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59869 (GCVE-0-2026-59869)
Vulnerability from cvelistv5 – Published: 2026-07-08 15:15 – Updated: 2026-07-09 15:14
VLAI
EPSS
VEX
Title
js-yaml: YAML merge-key chains can force quadratic CPU consumption
Summary
js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/nodeca/js-yaml/security/adviso… | x_refsource_CONFIRM |
| https://github.com/nodeca/js-yaml/commit/24f13e79… | x_refsource_MISC |
| https://github.com/nodeca/js-yaml/commit/59423c6f… | x_refsource_MISC |
| https://github.com/nodeca/js-yaml/releases/tag/3.15.0 | x_refsource_MISC |
| https://github.com/nodeca/js-yaml/releases/tag/4.3.0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59869",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T15:14:16.302841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T15:14:29.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-yaml",
"vendor": "nodeca",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.15.0"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in versions 3.15.0 and 4.3.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:15:54.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m"
},
{
"name": "https://github.com/nodeca/js-yaml/commit/24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/commit/24f13e79ee1343a7e30bd6f6c9d9cdbf0ac9b2b7"
},
{
"name": "https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4"
},
{
"name": "https://github.com/nodeca/js-yaml/releases/tag/3.15.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/releases/tag/3.15.0"
},
{
"name": "https://github.com/nodeca/js-yaml/releases/tag/4.3.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/releases/tag/4.3.0"
}
],
"source": {
"advisory": "GHSA-52cp-r559-cp3m",
"discovery": "UNKNOWN"
},
"title": "js-yaml: YAML merge-key chains can force quadratic CPU consumption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59869",
"datePublished": "2026-07-08T15:15:54.675Z",
"dateReserved": "2026-07-07T15:41:53.607Z",
"dateUpdated": "2026-07-09T15:14:29.753Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59868 (GCVE-0-2026-59868)
Vulnerability from cvelistv5 – Published: 2026-07-08 15:18 – Updated: 2026-07-09 13:42
VLAI
EPSS
VEX
Title
js-yaml: YAML merge-key chains can force quadratic CPU consumption
Summary
js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nodeca/js-yaml/security/adviso… | x_refsource_CONFIRM |
| https://github.com/nodeca/js-yaml/commit/3105455b… | x_refsource_MISC |
| https://github.com/nodeca/js-yaml/releases/tag/5.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59868",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-09T13:41:56.104624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-09T13:42:54.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-g796-fgmg-93mv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "js-yaml",
"vendor": "nodeca",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "js-yaml is a JavaScript YAML parser and dumper. From 5.0.0 before 5.2.0, when merge keys are enabled, js-yaml can spend quadratic CPU time parsing a document whose size grows only linearly when a chain of mappings uses merge keys where each mapping merges the previous one. This issue is fixed in version 5.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T15:18:19.422Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-g796-fgmg-93mv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-g796-fgmg-93mv"
},
{
"name": "https://github.com/nodeca/js-yaml/commit/3105455b81dee69e0fd36e09ac0b2ccfdb54adc1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/commit/3105455b81dee69e0fd36e09ac0b2ccfdb54adc1"
},
{
"name": "https://github.com/nodeca/js-yaml/releases/tag/5.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nodeca/js-yaml/releases/tag/5.2.0"
}
],
"source": {
"advisory": "GHSA-g796-fgmg-93mv",
"discovery": "UNKNOWN"
},
"title": "js-yaml: YAML merge-key chains can force quadratic CPU consumption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-59868",
"datePublished": "2026-07-08T15:18:19.422Z",
"dateReserved": "2026-07-07T15:41:53.607Z",
"dateUpdated": "2026-07-09T13:42:54.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-59094 (GCVE-0-2026-59094)
Vulnerability from cvelistv5 – Published: 2026-07-02 19:40 – Updated: 2026-07-14 22:03 X_Open Source
VLAI
EPSS
VEX
Title
Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store
Summary
Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/pathwaycom/pathway/issues/241 | technical-descriptionexploit |
| https://github.com/pathwaycom/pathway/pull/250 | issue-tracking |
| https://github.com/pathwaycom/pathway/commit/d097… | patch |
| https://www.vulncheck.com/advisories/pathway-unau… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pathwaycom | pathway |
Affected:
0 , ≤ 0.31.1
(semver)
Unaffected: d09722eef03fd94bba701836eb4c7fbfa3d3b88e (git) |
Date Public
2026-06-12 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-59094",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T16:19:28.535653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T16:20:13.394Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageURL": "pkg:github/pathwaycom/pathway",
"product": "pathway",
"repo": "https://github.com/pathwaycom/pathway",
"vendor": "pathwaycom",
"versions": [
{
"lessThanOrEqual": "0.31.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "d09722eef03fd94bba701836eb4c7fbfa3d3b88e",
"versionType": "git"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pathwaycom:pathway:*:*:*:*:*:*:*:*",
"versionEndIncluding": "0.31.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "George Chen"
}
],
"datePublic": "2026-06-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each ** token without memoization, giving exponential worst-case complexity. The filepath_globpattern value is taken from the body of the unauthenticated HTTP endpoints /v1/retrieve, /v1/inputs and /v2/answer and compiled into a filter evaluated once per indexed document, with no length or **-count limit. A remote unauthenticated attacker can submit a short pattern containing many ** tokens to consume CPU for tens of seconds per request, and a small number of requests denies service."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-407",
"description": "Inefficient Algorithmic Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T22:03:21.697Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Researcher Disclosure",
"tags": [
"technical-description",
"exploit"
],
"url": "https://github.com/pathwaycom/pathway/issues/241"
},
{
"name": "Fix PR",
"tags": [
"issue-tracking"
],
"url": "https://github.com/pathwaycom/pathway/pull/250"
},
{
"name": "Fix Commit",
"tags": [
"patch"
],
"url": "https://github.com/pathwaycom/pathway/commit/d09722eef03fd94bba701836eb4c7fbfa3d3b88e"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/pathway-unauthenticated-denial-of-service-via-exponential-glob-pattern-matching-in-document-store"
}
],
"tags": [
"x_open-source"
],
"title": "Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store",
"x_generator": {
"engine": "vulncheck-endgame"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-59094",
"datePublished": "2026-07-02T19:40:50.961Z",
"dateReserved": "2026-07-02T15:38:18.928Z",
"dateUpdated": "2026-07-14T22:03:21.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.