Vulnerabilites related to ublockorigin - ublock_origin
CVE-2019-11595 (GCVE-0-2019-11595)
Vulnerability from cvelistv5
Published
2019-04-29 14:31
Modified
2024-08-04 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.
References
| ▼ | URL | Tags |
|---|---|---|
| https://armin.dev/blog/2019/04/adblock-plus-code-injection/ | x_refsource_MISC | |
| https://news.ycombinator.com/item?id=19666504 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:41.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://armin.dev/blog/2019/04/adblock-plus-code-injection/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=19666504"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-29T14:31:21",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://armin.dev/blog/2019/04/adblock-plus-code-injection/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://news.ycombinator.com/item?id=19666504"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11595",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://armin.dev/blog/2019/04/adblock-plus-code-injection/",
"refsource": "MISC",
"url": "https://armin.dev/blog/2019/04/adblock-plus-code-injection/"
},
{
"name": "https://news.ycombinator.com/item?id=19666504",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=19666504"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11595",
"datePublished": "2019-04-29T14:31:21",
"dateReserved": "2019-04-29T00:00:00",
"dateUpdated": "2024-08-04T22:55:41.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-4215 (GCVE-0-2025-4215)
Vulnerability from cvelistv5
Published
2025-05-02 20:31
Modified
2025-06-12 00:12
Severity ?
2.3 (Low) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
3.1 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
3.1 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.
References
| ▼ | URL | Tags |
|---|---|---|
| https://vuldb.com/?id.307194 | vdb-entry, technical-description | |
| https://vuldb.com/?ctiid.307194 | signature, permissions-required | |
| https://vuldb.com/?submit.562301 | third-party-advisory | |
| https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c | patch | |
| https://github.com/gorhill/uBlock/releases/tag/1.63.3b17 | patch |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gorhill | uBlock Origin |
Version: 1.63.3b16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-4215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T14:55:50.256204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T14:56:03.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-12T00:12:13.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"UI"
],
"product": "uBlock Origin",
"vendor": "gorhill",
"versions": [
{
"status": "affected",
"version": "1.63.3b16"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "DayShift (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component."
},
{
"lang": "de",
"value": "Es wurde eine problematische Schwachstelle in gorhill uBlock Origin bis 1.63.3b16 ausgemacht. Betroffen hiervon ist die Funktion currentStateChanged der Datei src/js/1p-filters.js der Komponente UI. Durch Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Die Komplexit\u00e4t eines Angriffs ist eher hoch. Sie gilt als schwierig auszunutzen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.63.3b17 vermag dieses Problem zu l\u00f6sen. Der Patch wird als eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-02T20:31:05.334Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-307194 | gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.307194"
},
{
"name": "VDB-307194 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.307194"
},
{
"name": "Submit #562301 | uBlock @gorhill/ubo-core \u003e=npm_0.1.11 Inefficient Regular Expression Complexity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.562301"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
},
{
"tags": [
"patch"
],
"url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-05-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-05-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-05-02T14:58:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-4215",
"datePublished": "2025-05-02T20:31:05.334Z",
"dateReserved": "2025-05-02T12:51:52.695Z",
"dateUpdated": "2025-06-12T00:12:13.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36773 (GCVE-0-2021-36773)
Vulnerability from cvelistv5
Published
2021-07-18 03:34
Modified
2024-08-04 01:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).
References
| ▼ | URL | Tags |
|---|---|---|
| https://news.ycombinator.com/item?id=27833752 | x_refsource_MISC | |
| https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc | x_refsource_MISC | |
| https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.277Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://news.ycombinator.com/item?id=27833752"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
},
{
"name": "[debian-lts-announce] 20220629 [SECURITY] [DLA 3062-1] ublock-origin security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-29T23:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://news.ycombinator.com/item?id=27833752"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
},
{
"name": "[debian-lts-announce] 20220629 [SECURITY] [DLA 3062-1] ublock-origin security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-36773",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://news.ycombinator.com/item?id=27833752",
"refsource": "MISC",
"url": "https://news.ycombinator.com/item?id=27833752"
},
{
"name": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc",
"refsource": "MISC",
"url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
},
{
"name": "[debian-lts-announce] 20220629 [SECURITY] [DLA 3062-1] ublock-origin security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-36773",
"datePublished": "2021-07-18T03:34:06",
"dateReserved": "2021-07-18T00:00:00",
"dateUpdated": "2024-08-04T01:01:59.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-04-29 15:29
Modified
2024-11-21 04:21
Severity ?
Summary
In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://armin.dev/blog/2019/04/adblock-plus-code-injection/ | Exploit, Mitigation, Third Party Advisory | |
| cve@mitre.org | https://news.ycombinator.com/item?id=19666504 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://armin.dev/blog/2019/04/adblock-plus-code-injection/ | Exploit, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://news.ycombinator.com/item?id=19666504 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ublockorigin | ublock_origin | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3AA01A2-94B0-40EA-98EE-8BE149EF3A02",
"versionEndExcluding": "0.9.5.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In uBlock before 0.9.5.15, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect."
},
{
"lang": "es",
"value": "uBlock versiones anteriores a la 0.9.5.15, la opci\u00f3n de filtro $rewrite permite al equipo de mantenimiento de listas de filtros, ejecutar c\u00f3digo arbitrario en una sesi\u00f3n del lado del cliente cuando un servicio web carga un script para su ejecuci\u00f3n utilizando XMLHttpRequest o Fetch, y el origen del script tiene una redirecci\u00f3n abierta."
}
],
"id": "CVE-2019-11595",
"lastModified": "2024-11-21T04:21:24.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-29T15:29:00.887",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://armin.dev/blog/2019/04/adblock-plus-code-injection/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://news.ycombinator.com/item?id=19666504"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Third Party Advisory"
],
"url": "https://armin.dev/blog/2019/04/adblock-plus-code-injection/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://news.ycombinator.com/item?id=19666504"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-07-18 04:15
Modified
2024-11-21 06:14
Severity ?
Summary
uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality).
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc | Exploit, Third Party Advisory | |
| cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://news.ycombinator.com/item?id=27833752 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://news.ycombinator.com/item?id=27833752 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sciruby | nmatrix | * | |
| ublockorigin | ublock_origin | * | |
| umatrix_project | umatrix | * | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sciruby:nmatrix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A335ADE-C257-42EE-963F-9B2A9A67AC31",
"versionEndExcluding": "4.4.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07A8F0D7-0E09-4BCF-8F2C-AB552732F563",
"versionEndExcluding": "1.36.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:umatrix_project:umatrix:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3550549-705D-487D-847A-6A5AE34F4056",
"versionEndExcluding": "1.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitrary depth of parameter nesting for strict blocking, which allows crafted web sites to cause a denial of service (unbounded recursion that can trigger memory consumption and a loss of all blocking functionality)."
},
{
"lang": "es",
"value": "uBlock Origin versiones anteriores a 1.36.2 y nMatrix versiones anteriores a 4.4.9, admiten una profundidad arbitraria de anidaci\u00f3n de par\u00e1metros para un bloqueo estricto, lo que permite que los sitios web dise\u00f1ados causar una denegaci\u00f3n de servicio (recursividad ilimitada que puede desencadenar el consumo de memoria y la p\u00e9rdida de toda la funcionalidad de bloqueo)"
}
],
"id": "CVE-2021-36773",
"lastModified": "2024-11-21T06:14:04.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-18T04:15:08.110",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://news.ycombinator.com/item?id=27833752"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/vtriolet/writings/blob/main/posts/2021/ublock_origin_and_umatrix_denial_of_service.adoc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00024.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://news.ycombinator.com/item?id=27833752"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-674"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-02 21:15
Modified
2025-06-17 14:17
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@vuldb.com | https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c | Exploit, Patch | |
| cna@vuldb.com | https://github.com/gorhill/uBlock/releases/tag/1.63.3b17 | Release Notes | |
| cna@vuldb.com | https://vuldb.com/?ctiid.307194 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.307194 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.562301 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html | Mailing List | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ublockorigin | ublock_origin | * | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| ublockorigin | ublock_origin | 1.63.3 | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E79DA830-EA8C-47B6-BD7F-0842DEC5F88C",
"versionEndExcluding": "1.63.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta1:*:*:*:*:*:*",
"matchCriteriaId": "79A4228B-1FA0-4150-8D6F-814F1DB61AE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta10:*:*:*:*:*:*",
"matchCriteriaId": "0DACB05D-3A30-4ADE-A265-7EA081710055",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta11:*:*:*:*:*:*",
"matchCriteriaId": "A06C4A41-F9F3-4FD8-88FE-D245B462E881",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta12:*:*:*:*:*:*",
"matchCriteriaId": "05C5AE9C-2C38-44C8-BA47-A274E45CCE20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta13:*:*:*:*:*:*",
"matchCriteriaId": "C5BB4A6D-F31D-48D2-853C-0631DD9FA574",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta14:*:*:*:*:*:*",
"matchCriteriaId": "FEBC2AC0-72E3-4879-8360-D10C766FA618",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta15:*:*:*:*:*:*",
"matchCriteriaId": "7437C121-9E8F-4A04-ACEF-25CD49AB1EE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta16:*:*:*:*:*:*",
"matchCriteriaId": "7F39A0E7-A745-49CB-93A0-06E3E6B622DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta2:*:*:*:*:*:*",
"matchCriteriaId": "07374522-6C44-4037-A81C-AED82D4AB365",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta3:*:*:*:*:*:*",
"matchCriteriaId": "85EB1169-3841-4D09-A747-17CE738A91B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta4:*:*:*:*:*:*",
"matchCriteriaId": "887E88B7-3905-487F-9462-D32F234D0FC1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta5:*:*:*:*:*:*",
"matchCriteriaId": "6FB0CF01-BD25-441D-B3D3-B4C948211B12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta6:*:*:*:*:*:*",
"matchCriteriaId": "1BCA6D91-F17D-4E7C-B986-58C4E1313522",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta7:*:*:*:*:*:*",
"matchCriteriaId": "0178FB98-7B4D-45F4-9880-8B471AA5702A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta8:*:*:*:*:*:*",
"matchCriteriaId": "9EC0A01E-DB43-487A-BDA9-5EAB05670DBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ublockorigin:ublock_origin:1.63.3:beta9:*:*:*:*:*:*",
"matchCriteriaId": "43563BB4-DE44-4780-A963-B73161987B1B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en gorhill uBlock Origin hasta la versi\u00f3n 1.63.3b16. Se ha clasificado como problem\u00e1tica. La funci\u00f3n currentStateChanged del archivo src/js/1p-filters.js de la interfaz de usuario del componente se ve afectada. La manipulaci\u00f3n genera una complejidad ineficiente en las expresiones regulares. Es posible ejecutar el ataque de forma remota. Es un ataque de complejidad bastante alta. Parece dif\u00edcil de explotar. Se ha hecho p\u00fablico el exploit y puede que sea utilizado. Actualizar a la versi\u00f3n 1.63.3b17 soluciona este problema. El parche se identifica como eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. Se recomienda actualizar el componente afectado."
}
],
"id": "CVE-2025-4215",
"lastModified": "2025-06-17T14:17:53.467",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2025-05-02T21:15:23.893",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
},
{
"source": "cna@vuldb.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.307194"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.307194"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.562301"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
},
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}