Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-593F-38F6-JP5M

Vulnerability from github – Published: 2025-02-12 19:23 – Updated: 2025-02-12 19:23
VLAI
Summary
Inefficient Regular Expression Complexity in koa
Details

Summary

Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.

PoC

Coming soon.

Impact

This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.15.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0-alpha.0"
            },
            {
              "fixed": "3.0.0-alpha.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "koa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-12T19:23:09Z",
    "nvd_published_at": "2025-02-12T18:15:28Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nKoa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack.\n\n### PoC\n\nComing soon.\n\n### Impact\nThis is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.",
  "id": "GHSA-593f-38f6-jp5m",
  "modified": "2025-02-12T19:23:09Z",
  "published": "2025-02-12T19:23:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/koajs/koa"
    },
    {
      "type": "WEB",
      "url": "https://github.com/koajs/koa/releases/tag/2.15.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in koa"
}

GHSA-5943-48F3-6WX5

Vulnerability from github – Published: 2024-04-26 06:30 – Updated: 2026-02-23 12:31
VLAI
Details

Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-26T06:15:06Z",
    "severity": "HIGH"
  },
  "details": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.",
  "id": "GHSA-5943-48f3-6wx5",
  "modified": "2026-02-23T12:31:28Z",
  "published": "2024-04-26T06:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4056"
    },
    {
      "type": "WEB",
      "url": "https://empower.m-files.com/security-advisories/CVE-2024-4056"
    },
    {
      "type": "WEB",
      "url": "https://product.m-files.com/security-advisories/cve-2024-4056"
    },
    {
      "type": "WEB",
      "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-59P9-H35M-WG4G

Vulnerability from github – Published: 2025-09-12 12:30 – Updated: 2025-09-15 13:57
VLAI
Summary
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.53.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-6638"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T13:57:49Z",
    "nvd_published_at": "2025-09-12T11:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer\u0027s `remove_language_code()` method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.",
  "id": "GHSA-59p9-h35m-wg4g",
  "modified": "2025-09-15T13:57:49Z",
  "published": "2025-09-12T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6638"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/d37f7517972f67e3f2194c000ed0f87f064e5099"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/6a6c933f-9ce8-4ded-8b3b-2c1444c61f36"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer"
}

GHSA-5G3J-89FR-R2VP

Vulnerability from github – Published: 2026-04-08 00:07 – Updated: 2026-04-08 00:07
VLAI
Summary
skilleton has improper input handling in repository/path processing
Details

Summary

skilleton versions prior to 0.3.1 include security-related weaknesses in repository normalization and path handling logic.
Version 0.3.1 contains fixes and additional test coverage for these issues.

Affected Versions

<0.3.1

Patched Versions

>=0.3.1

Impact

In affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.
0.3.1 mitigates this by: - replacing vulnerable parsing behavior with deterministic logic, - validating subpaths earlier before allocating git worktree resources, - adding stricter and broader regression tests around these flows.

Severity

Low to Moderate (project-maintainer assessed)

Mitigation

Upgrade to 0.3.1 or later.

Workarounds

No complete workaround is recommended other than upgrading.

References

Credits

Detected through automated code scanning and remediated by project maintainers.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "skilleton"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400",
      "CWE-78",
      "CWE-88"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:07:36Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic.  \nVersion `0.3.1` contains fixes and additional test coverage for these issues.\n\n## Affected Versions\n\n`\u003c0.3.1`\n\n## Patched Versions\n\n`\u003e=0.3.1`\n\n## Impact\n\nIn affected versions, crafted input could trigger unsafe or inefficient behavior in repository/path processing code paths.  \n`0.3.1` mitigates this by:\n- replacing vulnerable parsing behavior with deterministic logic,\n- validating subpaths earlier before allocating git worktree resources,\n- adding stricter and broader regression tests around these flows.\n\n## Severity\n\nLow to Moderate (project-maintainer assessed)\n\n## Mitigation\n\nUpgrade to `0.3.1` or later.\n\n## Workarounds\n\nNo complete workaround is recommended other than upgrading.\n\n## References\n\n- Branch: [`fix/security-code-scanning-alerts`](https://github.com/Fcmam5/skilleton/pull/9)\n- Commits:\n  - [fix(security): harden git arg handling and path validation](https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172)\n  - [fix(security): use while loop in normalizeRepoUrl instead of regex](https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b)\n- Security Policy: [SECURITY.md](https://github.com/Fcmam5/skilleton/blob/master/SECURITY.md)\n\n## Credits\n\nDetected through automated code scanning and remediated by project maintainers.",
  "id": "GHSA-5g3j-89fr-r2vp",
  "modified": "2026-04-08T00:07:36Z",
  "published": "2026-04-08T00:07:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Fcmam5/skilleton/security/advisories/GHSA-5g3j-89fr-r2vp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fcmam5/skilleton/pull/9/changes/42bc280ad675bfaa7b1bbc192330fb582bb28172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Fcmam5/skilleton/pull/9/changes/6613160803ec8655efee9a270eeaa767ad22da8b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Fcmam5/skilleton"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "skilleton has improper input handling in repository/path processing"
}

GHSA-5J4C-8P2G-V4JX

Vulnerability from github – Published: 2024-10-15 18:30 – Updated: 2024-10-24 18:42
VLAI
Summary
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Details

The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.

To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a <script> tag but closes it incorrectly with something like </textarea>.

new Vue({
  el: '#app',
  template: '
    <div>
      Hello, world!
      <script>${'<'.repeat(1000000)}</textarea>
    </div>'
});

Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:

<!DOCTYPE html>
<html>
<head>
  <title>My first Vue app</title>
</head>
<body>
  <div id=\"app\">Loading...</div>
</body>
</html>

When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vue"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha.1"
            },
            {
              "fixed": "3.0.0-alpha.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9506"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-24T18:42:59Z",
    "nvd_published_at": "2024-10-15T16:15:06Z",
    "severity": "LOW"
  },
  "details": "The ReDoS can be exploited through the `parseHTML` function in the `html-parser.ts` file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.\n\nTo demonstrate this vulnerability, here\u0027s an example. In a Vue client-side application, create a new Vue instance with a template string that includes a `\u003cscript\u003e` tag but closes it incorrectly with something like `\u003c/textarea\u003e`.\n\n```javascript\nnew Vue({\n  el: \u0027#app\u0027,\n  template: \u0027\n    \u003cdiv\u003e\n      Hello, world!\n      \u003cscript\u003e${\u0027\u003c\u0027.repeat(1000000)}\u003c/textarea\u003e\n    \u003c/div\u003e\u0027\n});\n```\nNext, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance:\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n  \u003ctitle\u003eMy first Vue app\u003c/title\u003e\n\u003c/head\u003e\n\u003cbody\u003e\n  \u003cdiv id=\\\"app\\\"\u003eLoading...\u003c/div\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nWhen you visit the app in your browser at http://localhost:3000, you\u0027ll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.",
  "id": "GHSA-5j4c-8p2g-v4jx",
  "modified": "2024-10-24T18:42:59Z",
  "published": "2024-10-15T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9506"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vuejs/core"
    },
    {
      "type": "WEB",
      "url": "https://www.herodevs.com/vulnerability-directory/cve-2024-9506"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function"
}

GHSA-5JFM-FVC2-73XF

Vulnerability from github – Published: 2023-08-02 03:30 – Updated: 2024-04-04 06:29
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-02T01:15:09Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint.",
  "id": "GHSA-5jfm-fvc2-73xf",
  "modified": "2024-04-04T06:29:26Z",
  "published": "2023-08-02T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3994"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1963255"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/416225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5JQP-885W-XJ32

Vulnerability from github – Published: 2022-11-10 12:01 – Updated: 2023-08-31 00:33
VLAI
Summary
pymatgen is vulnerable to Regular Expression Denial of Service (ReDoS)
Details

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pymatgen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2022.9.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-42964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-10T18:55:00Z",
    "nvd_published_at": "2022-11-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the `GaussianInput.from_string` method.",
  "id": "GHSA-5jqp-885w-xj32",
  "modified": "2023-08-31T00:33:18Z",
  "published": "2022-11-10T12:01:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/materialsproject/pymatgen/issues/2755"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/materialsproject/pymatgen"
    },
    {
      "type": "WEB",
      "url": "https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pymatgen is vulnerable to Regular Expression Denial of Service (ReDoS)"
}

GHSA-5PGG-2G8V-P4X9

Vulnerability from github – Published: 2024-04-05 06:30 – Updated: 2025-09-19 15:23
VLAI
Summary
SheetJS Regular Expression Denial of Service (ReDoS)
Details

SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).

A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.20.2 can be downloaded via https://cdn.sheetjs.com/.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.20.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "xlsx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22363"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-08T13:47:03Z",
    "nvd_published_at": "2024-04-05T06:15:10Z",
    "severity": "HIGH"
  },
  "details": "SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained. Version 0.20.2 can be downloaded via https://cdn.sheetjs.com/.",
  "id": "GHSA-5pgg-2g8v-p4x9",
  "modified": "2025-09-19T15:23:24Z",
  "published": "2024-04-05T06:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22363"
    },
    {
      "type": "WEB",
      "url": "https://cdn.sheetjs.com"
    },
    {
      "type": "WEB",
      "url": "https://cdn.sheetjs.com/advisories/CVE-2024-22363"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/1333.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.sheetjs.com/sheetjs/sheetjs"
    },
    {
      "type": "WEB",
      "url": "https://git.sheetjs.com/sheetjs/sheetjs/src/tag/v0.20.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SheetJS Regular Expression Denial of Service (ReDoS)"
}

GHSA-5V2H-R2CX-5XGJ

Vulnerability from github – Published: 2022-01-14 21:04 – Updated: 2022-01-14 19:57
VLAI
Summary
Inefficient Regular Expression Complexity in marked
Details

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

  • https://marked.js.org/using_advanced#workers
  • https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "marked"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-14T19:57:17Z",
    "nvd_published_at": "2022-01-14T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \u0027marked\u0027;\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n",
  "id": "GHSA-5v2h-r2cx-5xgj",
  "modified": "2022-01-14T19:57:17Z",
  "published": "2022-01-14T21:04:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markedjs/marked"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in marked"
}

GHSA-5X79-W82F-GW8W

Vulnerability from github – Published: 2022-12-13 17:43 – Updated: 2025-11-04 16:41
VLAI
Summary
Inefficient Regular Expression Complexity in rails-html-sanitizer
Details

Summary

Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to rails-html-sanitizer >= 1.4.4.

Severity

The maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rails-html-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-13T17:43:02Z",
    "nvd_published_at": "2022-12-14T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nCertain configurations of rails-html-sanitizer `\u003c 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).",
  "id": "GHSA-5x79-w82f-gw8w",
  "modified": "2025-11-04T16:41:23Z",
  "published": "2022-12-13T17:43:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1684163"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails-html-sanitizer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inefficient Regular Expression Complexity in rails-html-sanitizer"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.