Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

732 vulnerabilities reference this CWE, most recent first.

GHSA-73W2-5F6G-JX42

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:06
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.",
  "id": "GHSA-73w2-5f6g-jx42",
  "modified": "2024-04-04T06:06:32Z",
  "published": "2023-07-13T03:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3424"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1960970"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/409802"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7599-FQGM-V84P

Vulnerability from github – Published: 2022-12-31 21:30 – Updated: 2023-01-10 16:10
VLAI
Summary
rgb2hex vulnerable to inefficient regular expression complexity
Details

A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "rgb2hex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-25061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-04T14:26:40Z",
    "nvd_published_at": "2022-12-31T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 can address this issue. The name of the patch is 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151.",
  "id": "GHSA-7599-fqgm-v84p",
  "modified": "2023-01-10T16:10:03Z",
  "published": "2022-12-31T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25061"
    },
    {
      "type": "WEB",
      "url": "https://github.com/christian-bromann/rgb2hex/commit/9e0c38594432edfa64136fdf7bb651835e17c34f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/christian-bromann/rgb2hex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/christian-bromann/rgb2hex/releases/tag/v0.1.6"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.217151"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.217151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "rgb2hex vulnerable to inefficient regular expression complexity"
}

GHSA-762F-C2WG-M8C8

Vulnerability from github – Published: 2018-10-09 00:27 – Updated: 2023-04-11 00:32
VLAI
Summary
Denial of Service in protobufjs
Details

Versions of protobufjs before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.

Recommendation

Update to version 5.0.3, 6.8.6 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "protobufjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-3738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:21:32Z",
    "nvd_published_at": "2018-06-07T02:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of `protobufjs` before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.\n\n\n## Recommendation\n\nUpdate to version 5.0.3, 6.8.6 or later.",
  "id": "GHSA-762f-c2wg-m8c8",
  "modified": "2023-04-11T00:32:09Z",
  "published": "2018-10-09T00:27:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3738"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/319576"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-762f-c2wg-m8c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/605"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service in protobufjs"
}

GHSA-785G-R934-C877

Vulnerability from github – Published: 2025-05-02 21:30 – Updated: 2025-06-12 03:30
VLAI
Details

A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-02T21:15:23Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.",
  "id": "GHSA-785g-r934-c877",
  "modified": "2025-06-12T03:30:25Z",
  "published": "2025-05-02T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gorhill/uBlock/commit/eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gorhill/uBlock/releases/tag/1.63.3b17"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.307194"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.307194"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.562301"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-78HM-5HJW-58MH

Vulnerability from github – Published: 2024-06-07 22:14 – Updated: 2024-06-07 22:15
VLAI
Summary
ua-parser/uap-php ReDoS vulnerability
Details

A regex expression in ua-parser/uap-php could lead to a ReDoS vulnerability in versions prior to 3.8.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "ua-parser/uap-php"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T22:14:49Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A regex expression in ua-parser/uap-php could lead to a ReDoS vulnerability in versions prior to 3.8.0.",
  "id": "GHSA-78hm-5hjw-58mh",
  "modified": "2024-06-07T22:15:42Z",
  "published": "2024-06-07T22:14:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-core/pull/363"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-core/commit/156f7e12b215bddbaf3df4514c399d683e6cdadc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ua-parser/uap-php/commit/947f80b39130c83a3d1c75900ac1b58828ed8aef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/ua-parser/uap-php/2018-12-14.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ua-parser/uap-php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "ua-parser/uap-php ReDoS vulnerability"
}

GHSA-798H-G4J5-5537

Vulnerability from github – Published: 2023-01-11 15:30 – Updated: 2025-06-16 14:03
VLAI
Summary
Duplicate Advisory: PapaParse Inefficient Regular Expression Complexity vulnerability
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references.

Original Description

A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "papaparse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-12T20:51:49Z",
    "nvd_published_at": "2023-01-11T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qvjc-g5vr-mfgr. This link is maintained to preserve external references.\n\n## Original Description\nA vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.",
  "id": "GHSA-798h-g4j5-5537",
  "modified": "2025-06-16T14:03:06Z",
  "published": "2023-01-11T15:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36649"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/issues/777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/pull/779"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mholt/PapaParse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mholt/PapaParse/releases/tag/5.2.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.218004"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.218004"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: PapaParse Inefficient Regular Expression Complexity vulnerability",
  "withdrawn": "2025-06-16T14:03:06Z"
}

GHSA-79VF-HF9F-J9Q8

Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2025-06-09 23:10
VLAI
Summary
@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
Details

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@vue/cli-plugin-pwa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5897"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T23:10:40Z",
    "nvd_published_at": "2025-06-09T21:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.",
  "id": "GHSA-79vf-hf9f-j9q8",
  "modified": "2025-06-09T23:10:40Z",
  "published": "2025-06-09T21:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5897"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vuejs/vue-cli/pull/7478"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vuejs/vue-cli"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.311669"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.311669"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.585798"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability"
}

GHSA-79WJ-68R3-H5HV

Vulnerability from github – Published: 2025-08-18 15:30 – Updated: 2025-08-18 15:30
VLAI
Details

IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-18T14:15:28Z",
    "severity": "HIGH"
  },
  "details": "IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption.",
  "id": "GHSA-79wj-68r3-h5hv",
  "modified": "2025-08-18T15:30:32Z",
  "published": "2025-08-18T15:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33090"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7242354"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7C9G-VJ9M-8PM6

Vulnerability from github – Published: 2024-02-28 00:31 – Updated: 2024-04-16 16:10
VLAI
Summary
Duplicate Advisory: ReDos vulnerability of XMLFeedSpider
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.

Original Description

Parts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2"
            },
            {
              "fixed": "2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "scrapy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-16T16:10:38Z",
    "nvd_published_at": "2024-02-28T00:15:53Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-cc65-xxvf-f7r9. This link is maintained to preserve external references.\n\n## Original Description\nParts of the Scrapy API were found to be vulnerable to a ReDoS attack. Handling a malicious response could cause extreme CPU and memory usage during the parsing of its content, due to the use of vulnerable regular expressions for that parsing.",
  "id": "GHSA-7c9g-vj9m-8pm6",
  "modified": "2024-04-16T16:10:38Z",
  "published": "2024-02-28T00:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: ReDos vulnerability of XMLFeedSpider",
  "withdrawn": "2024-04-16T16:10:38Z"
}

GHSA-7CMJ-V6X8-FRVV

Vulnerability from github – Published: 2026-07-09 13:43 – Updated: 2026-07-09 13:43
VLAI
Summary
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
Details

Summary

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.

Details

The vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java's Pattern.compile() and String.replaceAll() through a utility class designed to time out after a specified interval. That utility correctly cancelled a single executor thread and returned with an exception, but the execution within the thread had no means to listen for this cancellation and would persist. Furthermore, three modules contained method calls in FHIRPathEngine that were not protected by this utility class.

Why this is exploitable:

Java's Pattern.compile() with a pattern like (a+)+$ against input "aaaaaaaaaaaaaaaaaaaaaa!" causes exponential backtracking (O(2^n) time complexity).

Impact

CPU Exhaustion: The exponential backtracking in Java's regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.9.5"
            },
            {
              "fixed": "6.9.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu2016may"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.dstu3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r4b"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.r5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "ca.uhn.hapi.fhir:org.hl7.fhir.validation.cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.9.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-09T13:43:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Summary\nAll implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource containing an evil regex pattern that causes catastrophic backtracking, exhausting system resources, and causing Denial-of-Service.\n\n## Details\nThe vulnerability exists in regex execution in FHIRPathEngine implementations across multiple code modules. The FHIRPath functions matches(), matchesFull(), and replaceMatches() pass user-controlled regular expressions to Java\u0027s Pattern.compile() and String.replaceAll() through a utility class designed to time out after a specified interval. That utility correctly cancelled a single executor thread and returned with an exception, but the execution within the thread had no means to listen for this cancellation and would persist. Furthermore, three modules contained method calls in FHIRPathEngine that were not protected by this utility class.\n\n## Why this is exploitable:\n\nJava\u0027s Pattern.compile() with a pattern like (a+)+$ against input \"aaaaaaaaaaaaaaaaaaaaaa!\" causes exponential backtracking (O(2^n) time complexity). \n\n## Impact\nCPU Exhaustion: The exponential backtracking in Java\u0027s regex engine consumes 100% of a CPU core for the duration of the hang (effectively infinite for sufficiently long input strings) for callers of FHIRPathEngine.",
  "id": "GHSA-7cmj-v6x8-frvv",
  "modified": "2026-07-09T13:43:03Z",
  "published": "2026-07-09T13:43:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-7cmj-v6x8-frvv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hapifhir/org.hl7.fhir.core"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint"
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.