CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
727 vulnerabilities reference this CWE, most recent first.
CVE-2022-31147 (GCVE-0-2022-31147)
Vulnerability from cvelistv5 – Published: 2022-07-14 19:30 – Updated: 2025-04-23 18:02- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/jquery-validation/jquery-valid… | x_refsource_CONFIRM |
| https://github.com/jquery-validation/jquery-valid… | x_refsource_MISC |
| https://github.com/jquery-validation/jquery-valid… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| jquery-validation | jquery-validation |
Affected:
< 1.19.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31147",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:53:30.070366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:02:09.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jquery-validation",
"vendor": "jquery-validation",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T19:30:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5"
}
],
"source": {
"advisory": "GHSA-ffmh-x56j-9rc3",
"discovery": "UNKNOWN"
},
"title": "jquery-validation ReDoS in url2 due to incomplete fix of CVE-2021-43306",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31147",
"STATE": "PUBLIC",
"TITLE": "jquery-validation ReDoS in url2 due to incomplete fix of CVE-2021-43306"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jquery-validation",
"version": {
"version_data": [
{
"version_value": "\u003c 1.19.5"
}
]
}
}
]
},
"vendor_name": "jquery-validation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333: Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3",
"refsource": "CONFIRM",
"url": "https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3"
},
{
"name": "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd",
"refsource": "MISC",
"url": "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd"
},
{
"name": "https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5",
"refsource": "MISC",
"url": "https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5"
}
]
},
"source": {
"advisory": "GHSA-ffmh-x56j-9rc3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31147",
"datePublished": "2022-07-14T19:30:14.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:02:09.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29158 (GCVE-0-2022-29158)
Vulnerability from cvelistv5 – Published: 2022-09-02 07:10 – Updated: 2024-08-03 06:10- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/7k92rg1o4ql2yw3o0… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/09/02/5 | mailing-listx_refsource_MLIST |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache OFBiz |
Affected:
Apache OFBiz , ≤ 18.12.05
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:59.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
},
{
"name": "[oss-security] 20220902 Apache OFBiz - Regular Expression Denial of Service (ReDoS) (CVE-2022-29158)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OFBiz",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "18.12.05",
"status": "affected",
"version": "Apache OFBiz",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tony Torralba and Joseph Farebrother from the GitHub CodeQL team."
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-02T11:06:12.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
},
{
"name": "[oss-security] 20220902 Apache OFBiz - Regular Expression Denial of Service (ReDoS) (CVE-2022-29158)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-29158",
"STATE": "PUBLIC",
"TITLE": "Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OFBiz",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache OFBiz",
"version_value": "18.12.05"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Tony Torralba and Joseph Farebrother from the GitHub CodeQL team."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jira/browse/OFBIZ-12599"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333: Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/7k92rg1o4ql2yw3o0vttkcl2jhq7j928"
},
{
"name": "[oss-security] 20220902 Apache OFBiz - Regular Expression Denial of Service (ReDoS) (CVE-2022-29158)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/09/02/5"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-29158",
"datePublished": "2022-09-02T07:10:20.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T06:10:59.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26650 (GCVE-0-2022-26650)
Vulnerability from cvelistv5 – Published: 2022-05-17 08:05 – Updated: 2024-08-03 05:11- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/8rp33m3nm4bwtx3qx… | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/05/17/3 | mailing-listx_refsource_MLIST |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache ShenYu (incubating) |
Affected:
unspecified , < 2.4.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:43.499Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache ShenYu (incubating)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.4.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:13:17.435Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache ShenYu (incubating) Regular expression denial of service",
"workarounds": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-26650",
"STATE": "PUBLIC",
"TITLE": "Apache ShenYu (incubating) Regular expression denial of service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache ShenYu (incubating)",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673"
},
{
"name": "[oss-security] 20220517 CVE-2022-26650: Apache ShenYu (incubating) Regular expression denial of service",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/05/17/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Upgrade to Apache ShenYu (incubating) 2.4.3 or apply patch https://github.com/apache/incubator-shenyu/pull/2975."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-26650",
"datePublished": "2022-05-17T08:05:10.000Z",
"dateReserved": "2022-03-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:11:43.499Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-25598 (GCVE-0-2022-25598)
Vulnerability from cvelistv5 – Published: 2022-03-30 09:20 – Updated: 2024-08-03 04:42- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/hwnw7xr969sg5nv84… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache DolphinScheduler |
Affected:
Apache DolphinScheduler , < 2.0.5
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:42:49.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache DolphinScheduler",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.0.5",
"status": "affected",
"version": "Apache DolphinScheduler",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Zheng Wang of HIT"
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333 Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T10:06:42.168Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache DolphinScheduler user registration is vulnerable to ReDoS attacks",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-25598",
"STATE": "PUBLIC",
"TITLE": "Apache DolphinScheduler user registration is vulnerable to ReDoS attacks"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache DolphinScheduler",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache DolphinScheduler",
"version_value": "2.0.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Zheng Wang of HIT"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1333 Inefficient Regular Expression Complexity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/hwnw7xr969sg5nv84wz75nfr2c76fl93"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-25598",
"datePublished": "2022-03-30T09:20:12.000Z",
"dateReserved": "2022-02-21T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:42:49.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24836 (GCVE-0-2022-24836)
Vulnerability from cvelistv5 – Published: 2022-04-11 00:00 – Updated: 2024-09-03 12:03| Vendor | Product | Version | |
|---|---|---|---|
| sparklemotion | nokogiri |
Affected:
< 1.13.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-09-03T12:03:46.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"
},
{
"name": "FEDORA-2022-9ed7641ce0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/"
},
{
"name": "FEDORA-2022-132c6d7c2e",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/"
},
{
"name": "FEDORA-2022-d231cb5e1f",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3003-1] ruby-nokogiri security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"
},
{
"name": "GLSA-202208-29",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-29"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213532"
},
{
"name": "20221220 APPLE-SA-2022-12-13-4 macOS Ventura 13.1",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/23"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00010.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "nokogiri",
"vendor": "sparklemotion",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `\u003c v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `\u003e= 1.13.4`. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-21T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8"
},
{
"url": "https://github.com/sparklemotion/nokogiri/commit/e444525ef1634b675cd1cf52d39f4320ef0aecfd"
},
{
"name": "FEDORA-2022-9ed7641ce0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OUPLBUZVM4WPFSXBEP2JS3R6LMKRTLFC/"
},
{
"name": "FEDORA-2022-132c6d7c2e",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDCWRQXJQ3TFSETPCEFMQ6RR6ME5UA3/"
},
{
"name": "FEDORA-2022-d231cb5e1f",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6DHCOWMA5PQTIQIMDENA7R2Y5BDYAIYM/"
},
{
"name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3003-1] ruby-nokogiri security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00013.html"
},
{
"name": "GLSA-202208-29",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202208-29"
},
{
"name": "[debian-lts-announce] 20221012 [SECURITY] [DLA 3149-1] ruby-nokogiri security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00018.html"
},
{
"url": "https://support.apple.com/kb/HT213532"
},
{
"name": "20221220 APPLE-SA-2022-12-13-4 macOS Ventura 13.1",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/Dec/23"
}
],
"source": {
"advisory": "GHSA-crjr-9rc5-ghw8",
"discovery": "UNKNOWN"
},
"title": "Inefficient Regular Expression Complexity in Nokogiri"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24836",
"datePublished": "2022-04-11T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2024-09-03T12:03:46.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23548 (GCVE-0-2022-23548)
Vulnerability from cvelistv5 – Published: 2023-01-05 00:00 – Updated: 2025-03-10 21:32- CWE-1333 - Inefficient Regular Expression Complexity
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/discourse/discourse/pull/19737"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:00:33.992880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:32:22.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "discourse",
"vendor": "discourse",
"versions": [
{
"status": "affected",
"version": "\u003c 2.8.14"
},
{
"status": "affected",
"version": "\u003e= 2.9.0.beta0, \u003c 2.9.0.beta16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-17T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf"
},
{
"url": "https://github.com/discourse/discourse/pull/19737"
}
],
"source": {
"advisory": "GHSA-7rw2-f4x7-7pxf",
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23548",
"datePublished": "2023-01-05T00:00:00.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-03-10T21:32:22.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23517 (GCVE-0-2022-23517)
Vulnerability from cvelistv5 – Published: 2022-12-14 16:10 – Updated: 2025-11-03 21:45- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/rails/rails-html-sanitizer/sec… | x_refsource_CONFIRM |
| https://github.com/rails/rails-html-sanitizer/com… | x_refsource_MISC |
| https://hackerone.com/reports/1684163 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2023… | |
| https://lists.debian.org/debian-lts-announce/2024… |
| Vendor | Product | Version | |
|---|---|---|---|
| rails | rails-html-sanitizer |
Affected:
< 1.4.4
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:45:57.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w"
},
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979"
},
{
"name": "https://hackerone.com/reports/1684163",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1684163"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23517",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-02T17:07:58.712366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T20:06:05.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rails-html-sanitizer",
"vendor": "rails",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer \u003c 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-13T16:06:18.564Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w"
},
{
"name": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979"
},
{
"name": "https://hackerone.com/reports/1684163",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1684163"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
}
],
"source": {
"advisory": "GHSA-5x79-w82f-gw8w",
"discovery": "UNKNOWN"
},
"title": "Inefficient Regular Expression Complexity in rails-html-sanitizer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23517",
"datePublished": "2022-12-14T16:10:22.304Z",
"dateReserved": "2022-01-19T21:23:53.778Z",
"dateUpdated": "2025-11-03T21:45:57.498Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23514 (GCVE-0-2022-23514)
Vulnerability from cvelistv5 – Published: 2022-12-14 13:19 – Updated: 2025-11-03 21:45- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/flavorjones/loofah/security/ad… | x_refsource_CONFIRM |
| https://hackerone.com/reports/1684163 | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2023… | |
| https://lists.debian.org/debian-lts-announce/2024… |
| Vendor | Product | Version | |
|---|---|---|---|
| flavorjones | loofah |
Affected:
< 2.19.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T21:45:53.018Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh"
},
{
"name": "https://hackerone.com/reports/1684163",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1684163"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23514",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T14:49:18.392624Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T14:50:27.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "loofah",
"vendor": "flavorjones",
"versions": [
{
"status": "affected",
"version": "\u003c 2.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah \u003c 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-13T16:06:21.710Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh"
},
{
"name": "https://hackerone.com/reports/1684163",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1684163"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html"
}
],
"source": {
"advisory": "GHSA-486f-hjj9-9vhh",
"discovery": "UNKNOWN"
},
"title": "Inefficient Regular Expression Complexity in Loofah"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23514",
"datePublished": "2022-12-14T13:19:25.943Z",
"dateReserved": "2022-01-19T21:23:53.777Z",
"dateUpdated": "2025-11-03T21:45:53.018Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-21681 (GCVE-0-2022-21681)
Vulnerability from cvelistv5 – Published: 2022-01-14 00:00 – Updated: 2025-04-22 18:33{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5"
},
{
"name": "FEDORA-2022-784d729f30",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21681",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:42:21.459933Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:33:29.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "marked",
"vendor": "markedjs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-08T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj"
},
{
"url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5"
},
{
"name": "FEDORA-2022-784d729f30",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/"
}
],
"source": {
"advisory": "GHSA-5v2h-r2cx-5xgj",
"discovery": "UNKNOWN"
},
"title": "Exponential catastrophic backtracking (ReDoS) in marked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21681",
"datePublished": "2022-01-14T00:00:00.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:33:29.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-21680 (GCVE-0-2022-21680)
Vulnerability from cvelistv5 – Published: 2022-01-14 00:00 – Updated: 2025-04-22 18:33{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:46:39.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/markedjs/marked/releases/tag/v4.0.10"
},
{
"name": "FEDORA-2022-784d729f30",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-21680",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:42:24.798116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:33:37.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "marked",
"vendor": "markedjs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.0.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-08T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf"
},
{
"url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0"
},
{
"url": "https://github.com/markedjs/marked/releases/tag/v4.0.10"
},
{
"name": "FEDORA-2022-784d729f30",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/"
}
],
"source": {
"advisory": "GHSA-rrrm-qjm4-v8hf",
"discovery": "UNKNOWN"
},
"title": "Cubic catastrophic backtracking (ReDoS) in marked"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-21680",
"datePublished": "2022-01-14T00:00:00.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:33:37.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.