CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
732 vulnerabilities reference this CWE, most recent first.
GHSA-593F-38F6-JP5M
Vulnerability from github – Published: 2025-02-12 19:23 – Updated: 2025-02-12 19:23Summary
Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.
PoC
Coming soon.
Impact
This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha.0"
},
{
"fixed": "3.0.0-alpha.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25200"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-12T19:23:09Z",
"nvd_published_at": "2025-02-12T18:15:28Z",
"severity": "CRITICAL"
},
"details": "### Summary\nKoa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack.\n\n### PoC\n\nComing soon.\n\n### Impact\nThis is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.",
"id": "GHSA-593f-38f6-jp5m",
"modified": "2025-02-12T19:23:09Z",
"published": "2025-02-12T19:23:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"
},
{
"type": "PACKAGE",
"url": "https://github.com/koajs/koa"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/releases/tag/2.15.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Inefficient Regular Expression Complexity in koa"
}
GHSA-5943-48F3-6WX5
Vulnerability from github – Published: 2024-04-26 06:30 – Updated: 2026-02-23 12:31Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
{
"affected": [],
"aliases": [
"CVE-2024-4056"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-26T06:15:06Z",
"severity": "HIGH"
},
"details": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.",
"id": "GHSA-5943-48f3-6wx5",
"modified": "2026-02-23T12:31:28Z",
"published": "2024-04-26T06:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4056"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2024-4056"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2024-4056"
},
{
"type": "WEB",
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59P9-H35M-WG4G
Vulnerability from github – Published: 2025-09-12 12:30 – Updated: 2025-09-15 13:57A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "transformers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.53.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-6638"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-15T13:57:49Z",
"nvd_published_at": "2025-09-12T11:15:31Z",
"severity": "MODERATE"
},
"details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer\u0027s `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.",
"id": "GHSA-59p9-h35m-wg4g",
"modified": "2025-09-15T13:57:49Z",
"published": "2025-09-12T12:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6638"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"
},
{
"type": "WEB",
"url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"
},
{
"type": "PACKAGE",
"url": "https://github.com/huggingface/transformers"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer"
}
GHSA-5G3J-89FR-R2VP
Vulnerability from github – Published: 2026-04-08 00:07 – Updated: 2026-04-08 00:07Summary
skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic.
Version 0.3.1 contains fixes and additional test coverage for these issues.
Affected Versions
<0.3.1
Patched Versions
>=0.3.1
Impact
In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
0.3.1 mitigates this by:
- replacing vulnerable parsing behavior with deterministic logic,
- validating subpaths earlier before allocating git worktree resources,
- adding stricter and broader regression tests around these flows.
Severity
Low to Moderate (project-maintainer assessed)
Mitigation
Upgrade to 0.3.1 or later.
Workarounds
No complete workaround is recommended other than upgrading.
References
- Branch:
fix/security-code-scanning-alerts - Commits:
- fix(security): harden git arg handling and path validation
- fix(security): use while loop in normalizeRepoUrl instead of regex
- Security Policy: SECURITY.md
Credits
Detected through automated code scanning and remediated by project maintainers.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "skilleton"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400",
"CWE-78",
"CWE-88"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T00:07:36Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\n`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic. \nVersion `0.3.1` contains fixes and additional test coverage for these issues.\n\n## Affected Versions\n\n`\u003c0.3.1`\n\n## Patched Versions\n\n`\u003e=0.3.1`\n\n## Impact\n\nIn affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths. \n`0.3.1` mitigates this by:\n- replacing vulnerable parsing behavior with deterministic logic,\n- validating subpaths earlier before allocating git worktree resources,\n- adding stricter and broader regression tests around these flows.\n\n## Severity\n\nLow to Moderate (project-maintainer assessed)\n\n## Mitigation\n\nUpgrade to `0.3.1` or later.\n\n## Workarounds\n\nNo complete workaround is recommended other than upgrading.\n\n## References\n\n- Branch: [`fix/security-code-scanning-alerts`](https://github.com/Fcmam5/skilleton/pull/9)\n- Commits:\n - [fix(security): harden git arg handling and path validation](https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172)\n - [fix(security): use while loop in normalizeRepoUrl instead of regex](https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b)\n- Security Policy: [SECURITY.md](https://github.com/Fcmam5/skilleton/blob/master/SECURITY.md)\n\n## Credits\n\nDetected through automated code scanning and remediated by project maintainers.",
"id": "GHSA-5g3j-89fr-r2vp",
"modified": "2026-04-08T00:07:36Z",
"published": "2026-04-08T00:07:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Fcmam5/skilleton/security/advisories/GHSA-5g3j-89fr-r2vp"
},
{
"type": "WEB",
"url": "https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172"
},
{
"type": "WEB",
"url": "https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b"
},
{
"type": "PACKAGE",
"url": "https://github.com/Fcmam5/skilleton"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "skilleton has improper input handling in repository/path processing"
}
GHSA-5J4C-8P2G-V4JX
Vulnerability from github – Published: 2024-10-15 18:30 – Updated: 2024-10-24 18:42The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.
To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.
new Vue({
el: '#app',
template: '
<div>
Hello, world!
<script>${'<'.repeat(1000000)}</textarea>
</div>'
});
Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:
<!DOCTYPE html>
<html>
<head>
<title>My first Vue app</title>
</head>
<body>
<div id=\"app\">Loading...</div>
</body>
</html>
When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "vue"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-alpha.1"
},
{
"fixed": "3.0.0-alpha.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-9506"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-24T18:42:59Z",
"nvd_published_at": "2024-10-15T16:15:06Z",
"severity": "LOW"
},
"details": "The ReDoS can be exploited through the `parseHTML` function in the `html-parser.ts` file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.\n\nTo demonstrate this vulnerability, here\u0027s an example. In a Vue client-side application, create a new Vue instance with a template string that includes a `\u003cscript\u003e` tag but closes it incorrectly with something like `\u003c/textarea\u003e`.\n\n```javascript\nnew Vue({\n el: \u0027#app\u0027,\n template: \u0027\n \u003cdiv\u003e\n Hello, world!\n \u003cscript\u003e${\u0027\u003c\u0027.repeat(1000000)}\u003c/textarea\u003e\n \u003c/div\u003e\u0027\n});\n```\nNext, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n \u003ctitle\u003eMy first Vue app\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n \u003cdiv id=\\\"app\\\"\u003eLoading...\u003c/div\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nWhen you visit the app in your browser at http://localhost:3000, you\u0027ll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.",
"id": "GHSA-5j4c-8p2g-v4jx",
"modified": "2024-10-24T18:42:59Z",
"published": "2024-10-15T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9506"
},
{
"type": "PACKAGE",
"url": "https://github.com/vuejs/core"
},
{
"type": "WEB",
"url": "https://www.herodevs.com/vulnerability-directory/cve-2024-9506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function"
}
GHSA-5JFM-FVC2-73XF
Vulnerability from github – Published: 2023-08-02 03:30 – Updated: 2024-04-04 06:29An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint.
{
"affected": [],
"aliases": [
"CVE-2023-3994"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-02T01:15:09Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint.",
"id": "GHSA-5jfm-fvc2-73xf",
"modified": "2024-04-04T06:29:26Z",
"published": "2023-08-02T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3994"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1963255"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5JQP-885W-XJ32
Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2023-08-31 00:33An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pymatgen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2022.9.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-42964"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-10T18:55:00Z",
"nvd_published_at": "2022-11-09T20:15:00Z",
"severity": "MODERATE"
},
"details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the `GaussianInput.from_string` method.",
"id": "GHSA-5jqp-885w-xj32",
"modified": "2023-08-31T00:33:18Z",
"published": "2022-11-10T12:01:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42964"
},
{
"type": "WEB",
"url": "https://github.com/materialsproject/pymatgen/issues/2755"
},
{
"type": "PACKAGE",
"url": "https://github.com/materialsproject/pymatgen"
},
{
"type": "WEB",
"url": "https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "pymatgen is vulnerable to Regular Expression Denial of Service (ReDoS)"
}
GHSA-5PGG-2G8V-P4X9
Vulnerability from github – Published: 2024-04-05 06:30 – Updated: 2025-09-19 15:23SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).
A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.20.2 can be downloaded via https://cdn.sheetjs.com/.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.20.2"
},
"package": {
"ecosystem": "npm",
"name": "xlsx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-22363"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-08T13:47:03Z",
"nvd_published_at": "2024-04-05T06:15:10Z",
"severity": "HIGH"
},
"details": "SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained. Version 0.20.2 can be downloaded via https://cdn.sheetjs.com/.",
"id": "GHSA-5pgg-2g8v-p4x9",
"modified": "2025-09-19T15:23:24Z",
"published": "2024-04-05T06:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22363"
},
{
"type": "WEB",
"url": "https://cdn.sheetjs.com"
},
{
"type": "WEB",
"url": "https://cdn.sheetjs.com/advisories/CVE-2024-22363"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/1333.html"
},
{
"type": "PACKAGE",
"url": "https://git.sheetjs.com/sheetjs/sheetjs"
},
{
"type": "WEB",
"url": "https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SheetJS Regular Expression Denial of Service (ReDoS)"
}
GHSA-5V2H-R2CX-5XGJ
Vulnerability from github – Published: 2022-01-14 21:04 – Updated: 2022-01-14 19:57Impact
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Patches
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
References
Are there any links users can visit to find out more?
- https://marked.js.org/using_advanced#workers
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
For more information
If you have any questions or comments about this advisory:
- Open an issue in marked
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "marked"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21681"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-14T19:57:17Z",
"nvd_published_at": "2022-01-14T17:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \u0027marked\u0027;\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n",
"id": "GHSA-5v2h-r2cx-5xgj",
"modified": "2022-01-14T19:57:17Z",
"published": "2022-01-14T21:04:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21681"
},
{
"type": "WEB",
"url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5"
},
{
"type": "WEB",
"url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0"
},
{
"type": "PACKAGE",
"url": "https://github.com/markedjs/marked"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in marked"
}
GHSA-5X79-W82F-GW8W
Vulnerability from github – Published: 2022-12-13 17:43 – Updated: 2025-11-04 16:41Summary
Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to rails-html-sanitizer >= 1.4.4.
Severity
The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
- CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
- https://hackerone.com/reports/1684163
Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rails-html-sanitizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23517"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T17:43:02Z",
"nvd_published_at": "2022-12-14T17:15:00Z",
"severity": "HIGH"
},
"details": "## Summary\n\nCertain configurations of rails-html-sanitizer `\u003c 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).",
"id": "GHSA-5x79-w82f-gw8w",
"modified": "2025-11-04T16:41:23Z",
"published": "2022-12-13T17:43:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23517"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1684163"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails-html-sanitizer"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inefficient Regular Expression Complexity in rails-html-sanitizer"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.