CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
732 vulnerabilities reference this CWE, most recent first.
GHSA-73W2-5F6G-JX42
Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
{
"affected": [],
"aliases": [
"CVE-2023-3424"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-13T03:15:10Z",
"severity": "HIGH"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.",
"id": "GHSA-73w2-5f6g-jx42",
"modified": "2024-04-04T06:06:32Z",
"published": "2023-07-13T03:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3424"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/1960970"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409802"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7599-FQGM-V84P
Vulnerability from github – Published: 2022-12-31 21:30 – Updated: 2023-01-10 16:10A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "rgb2hex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-25061"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-04T14:26:40Z",
"nvd_published_at": "2022-12-31T20:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.",
"id": "GHSA-7599-fqgm-v84p",
"modified": "2023-01-10T16:10:03Z",
"published": "2022-12-31T21:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25061"
},
{
"type": "WEB",
"url": "https://github.com/christian-bromann/rgb2hex/commit/9e0c38594432edfa64136fdf7bb651835e17c34f"
},
{
"type": "PACKAGE",
"url": "https://github.com/christian-bromann/rgb2hex"
},
{
"type": "WEB",
"url": "https://github.com/christian-bromann/rgb2hex/releases/tag/v0.1.6"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217151"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217151"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "rgb2hex vulnerable to inefficient regular expression complexity"
}
GHSA-762F-C2WG-M8C8
Vulnerability from github – Published: 2018-10-09 00:27 – Updated: 2023-04-11 00:32Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.
Recommendation
Update to version 5.0.3, 6.8.6 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.8.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "protobufjs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3738"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:21:32Z",
"nvd_published_at": "2018-06-07T02:29:00Z",
"severity": "MODERATE"
},
"details": "Versions of `protobufjs` before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.\n\n\n## Recommendation\n\nUpdate to version 5.0.3, 6.8.6 or later.",
"id": "GHSA-762f-c2wg-m8c8",
"modified": "2023-04-11T00:32:09Z",
"published": "2018-10-09T00:27:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3738"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/319576"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-762f-c2wg-m8c8"
},
{
"type": "WEB",
"url": "https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/605"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in protobufjs"
}
GHSA-785G-R934-C877
Vulnerability from github – Published: 2025-05-02 21:30 – Updated: 2025-06-12 03:30A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-4215"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T21:15:23Z",
"severity": "LOW"
},
"details": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.",
"id": "GHSA-785g-r934-c877",
"modified": "2025-06-12T03:30:25Z",
"published": "2025-05-02T21:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4215"
},
{
"type": "WEB",
"url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
},
{
"type": "WEB",
"url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.307194"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.307194"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.562301"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-78HM-5HJW-58MH
Vulnerability from github – Published: 2024-06-07 22:14 – Updated: 2024-06-07 22:15A regex expression in ua-parser/uap-php could lead to a ReDoS vulnerability in versions prior to 3.8.0.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "ua-parser/uap-php"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T22:14:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "A regex expression in ua-parser/uap-php could lead to a ReDoS vulnerability in versions prior to 3.8.0.",
"id": "GHSA-78hm-5hjw-58mh",
"modified": "2024-06-07T22:15:42Z",
"published": "2024-06-07T22:14:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ua-parser/uap-core/pull/363"
},
{
"type": "WEB",
"url": "https://github.com/ua-parser/uap-core/commit/156f7e12b215bddbaf3df4514c399d683e6cdadc"
},
{
"type": "WEB",
"url": "https://github.com/ua-parser/uap-php/commit/947f80b39130c83a3d1c75900ac1b58828ed8aef"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ua-parser/uap-php/2018-12-14.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/ua-parser/uap-php"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ua-parser/uap-php ReDoS vulnerability"
}
GHSA-798H-G4J5-5537
Vulnerability from github – Published: 2023-01-11 15:30 – Updated: 2025-06-16 14:03Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references.
Original Description
A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "papaparse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T20:51:49Z",
"nvd_published_at": "2023-01-11T15:15:00Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.",
"id": "GHSA-798h-g4j5-5537",
"modified": "2025-06-16T14:03:06Z",
"published": "2023-01-11T15:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36649"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/issues/777"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/pull/779"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621"
},
{
"type": "PACKAGE",
"url": "https://github.com/mholt/PapaParse"
},
{
"type": "WEB",
"url": "https://github.com/mholt/PapaParse/releases/tag/5.2.0"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.218004"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.218004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: PapaParse Inefficient Regular Expression Complexity vulnerability",
"withdrawn": "2025-06-16T14:03:06Z"
}
GHSA-79VF-HF9F-J9Q8
Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 23:10A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@vue/cli-plugin-pwa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-5897"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-09T23:10:40Z",
"nvd_published_at": "2025-06-09T21:15:47Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.",
"id": "GHSA-79vf-hf9f-j9q8",
"modified": "2025-06-09T23:10:40Z",
"published": "2025-06-09T21:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5897"
},
{
"type": "WEB",
"url": "https://github.com/vuejs/vue-cli/pull/7478"
},
{
"type": "PACKAGE",
"url": "https://github.com/vuejs/vue-cli"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.311669"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.311669"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.585798"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability"
}
GHSA-79WJ-68R3-H5HV
Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-08-18 15:30IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.
{
"affected": [],
"aliases": [
"CVE-2025-33090"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-18T14:15:28Z",
"severity": "HIGH"
},
"details": "IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.",
"id": "GHSA-79wj-68r3-h5hv",
"modified": "2025-08-18T15:30:32Z",
"published": "2025-08-18T15:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33090"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7242354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7C9G-VJ9M-8PM6
Vulnerability from github – Published: 2024-02-28 00:31 – Updated: 2024-04-16 16:10Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.
Original Description
Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "scrapy"
},
"ranges": [
{
"events": [
{
"introduced": "2"
},
{
"fixed": "2.11.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "scrapy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-16T16:10:38Z",
"nvd_published_at": "2024-02-28T00:15:53Z",
"severity": "HIGH"
},
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.\n\n## Original Description\nParts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.",
"id": "GHSA-7c9g-vj9m-8pm6",
"modified": "2024-04-16T16:10:38Z",
"published": "2024-02-28T00:31:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1892"
},
{
"type": "WEB",
"url": "https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: ReDos vulnerability of XMLFeedSpider",
"withdrawn": "2024-04-16T16:10:38Z"
}
GHSA-7CMJ-V6X8-FRVV
Vulnerability from github – Published: 2026-07-09 13:43 – Updated: 2026-07-09 13:43Summary
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.
Details
The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through a utility class designed to time out after a specified interval. That utility correctly cancelled a single executor thread and returned with an exception, but the execution within the thread had no means to listen for this cancellation and would persist. Furthermore, three modules contained method calls in FHIRPathEngine that were not protected by this utility class.
Why this is exploitable:
Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity).
Impact
CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
},
"ranges": [
{
"events": [
{
"introduced": "6.9.5"
},
{
"fixed": "6.9.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.9.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49485"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T13:43:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# Summary\nAll implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.\n\n## Details\nThe vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java\u0027s Pattern.compile() and String.replaceAll() through a utility class designed to time out after a specified interval. That utility correctly cancelled a single executor thread and returned with an exception, but the execution within the thread had no means to listen for this cancellation and would persist. Furthermore, three modules contained method calls in FHIRPathEngine that were not protected by this utility class.\n\n## Why this is exploitable:\n\nJava\u0027s Pattern.compile() with a pattern like (a+)+$ against input \"aaaaaaaaaaaaaaaaaaaaaa!\" causes exponential backtracking (O(2^n) time complexity). \n\n## Impact\nCPU Exhaustion: The exponential backtracking in Java\u0027s regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.",
"id": "GHSA-7cmj-v6x8-frvv",
"modified": "2026-07-09T13:43:03Z",
"published": "2026-07-09T13:43:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-7cmj-v6x8-frvv"
},
{
"type": "PACKAGE",
"url": "https://github.com/hapifhir/org.hl7.fhir.core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.