Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

727 vulnerabilities reference this CWE, most recent first.

GHSA-JG4P-7FHP-P32P

Vulnerability from github – Published: 2026-04-04 04:23 – Updated: 2026-04-24 13:43
VLAI
Summary
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing
Details

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.

Impact

Denial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.

Patches

Fixed by tightening all three regular expressions to eliminate backtracking.

Workarounds

There are no known workarounds. Upgrade to the patched version.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@hapi/content"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T04:23:03Z",
    "nvd_published_at": "2026-04-06T21:16:20Z",
    "severity": "HIGH"
  },
  "details": "All versions of `@hapi/content` through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse `Content-Type` and `Content-Disposition` headers contain patterns susceptible to catastrophic backtracking. This has been fixed in v6.0.1.\n\n### Impact\n\nDenial of Service. An unauthenticated remote attacker can cause a Node.js process to become unresponsive by sending a single HTTP request with a maliciously crafted header value.\n\n### Patches\n\nFixed by tightening all three regular expressions to eliminate backtracking.\n\n### Workarounds\n\nThere are no known workarounds. Upgrade to the patched version.",
  "id": "GHSA-jg4p-7fhp-p32p",
  "modified": "2026-04-24T13:43:15Z",
  "published": "2026-04-04T04:23:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hapijs/content/security/advisories/GHSA-jg4p-7fhp-p32p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hapijs/content/pull/38"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hapijs/content"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing"
}

GHSA-JH3W-4VVF-MJGR

Vulnerability from github – Published: 2023-07-03 15:30 – Updated: 2025-11-04 19:38
VLAI
Summary
Django has regular expression denial of service vulnerability in EmailValidator/URLValidator
Details

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2a1"
            },
            {
              "fixed": "3.2.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0a1"
            },
            {
              "fixed": "4.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Django"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2a1"
            },
            {
              "fixed": "4.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-05T22:45:55Z",
    "nvd_published_at": "2023-07-03T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, `EmailValidator` and `URLValidator` are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.",
  "id": "GHSA-jh3w-4vvf-mjgr",
  "modified": "2025-11-04T19:38:50Z",
  "published": "2023-07-03T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36053"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/ad0410ec4f458aa39803e5f6b9a3736527062dcd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/b7c5feb35a31799de6e582ad6a5a91a9de74e0f9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/django/django/commit/beb3f3d55940d9aa7198bf9d424ab74e873aec3d"
    },
    {
      "type": "WEB",
      "url": "https://www.djangoproject.com/weblog/2023/jul/03/security-releases"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5465"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQJOMNRMVPCN5WMIZ7YSX5LQ7IR2NY4D"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG5DYKPNDCEHJQ3TKPJQO7QGSR4FAYMS"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NRDGTUN4LTI6HG4TWR3JYLSFVXPZT42A"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#%21forum/django-announce"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!forum/django-announce"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2023-100.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/django/django"
    },
    {
      "type": "WEB",
      "url": "https://docs.djangoproject.com/en/4.2/releases/security"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Django has regular expression denial of service vulnerability in EmailValidator/URLValidator"
}

GHSA-JJ5C-HHRG-VV5H

Vulnerability from github – Published: 2024-10-08 18:33 – Updated: 2024-10-09 17:01
VLAI
Summary
xhtml2pdf Denial of Service via crafted string
Details

An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "xhtml2pdf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-09T17:01:36Z",
    "nvd_published_at": "2024-10-08T18:15:05Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.",
  "id": "GHSA-jj5c-hhrg-vv5h",
  "modified": "2024-10-09T17:01:36Z",
  "published": "2024-10-08T18:33:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25885"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/salvatore-abello/c88dd0027496774023ef36c7b576d206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xhtml2pdf/xhtml2pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "xhtml2pdf Denial of Service via crafted string"
}

GHSA-JJG7-2V4V-X38H

Vulnerability from github – Published: 2024-04-11 21:32 – Updated: 2025-11-05 20:10
VLAI
Summary
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode
Details

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

  • https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "idna"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-3651"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-11T21:32:40Z",
    "nvd_published_at": "2024-07-07T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.\n\n### Patches\nThe function has been refined to reject such strings without the associated resource consumption in version 3.7.\n\n### Workarounds\nDomain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the `idna.encode()` function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.\n\n### References\n* https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb",
  "id": "GHSA-jjg7-2v4v-x38h",
  "modified": "2025-11-05T20:10:47Z",
  "published": "2024-04-11T21:32:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kjd/idna"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4D"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWF"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode"
}

GHSA-JJHX-JHVP-74WQ

Vulnerability from github – Published: 2024-02-27 21:41 – Updated: 2024-03-01 23:30
VLAI
Summary
Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch
Details

Possible ReDoS vulnerability in Accept header parsing in Action Dispatch

There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142.

Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1

Impact

Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

  • 7-1-accept-redox.patch - Patch for 7.1 series

Credits

Thanks svalkanov for the report and patch!

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26142"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-27T21:41:09Z",
    "nvd_published_at": "2024-02-27T16:15:46Z",
    "severity": "LOW"
  },
  "details": "# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch\n\nThere is a possible ReDoS vulnerability in the Accept header parsing routines\nof Action Dispatch. This vulnerability has been assigned the CVE identifier\nCVE-2024-26142.\n\nVersions Affected:  \u003e= 7.1.0, \u003c 7.1.3.1\nNot affected:       \u003c 7.1.0\nFixed Versions:     7.1.3.1\n\nImpact\n------\nCarefully crafted Accept headers can cause Accept header parsing in Action\nDispatch to take an unexpected amount of time, possibly resulting in a DoS\nvulnerability.  All users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby\n3.2 or newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 7-1-accept-redox.patch - Patch for 7.1 series\n\nCredits\n-------\nThanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!",
  "id": "GHSA-jjhx-jhvp-74wq",
  "modified": "2024-03-01T23:30:38Z",
  "published": "2024-02-27T21:41:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26142"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch"
}

GHSA-JJPH-296X-MRCR

Vulnerability from github – Published: 2025-07-07 12:30 – Updated: 2025-07-08 16:38
VLAI
Summary
Transformers vulnerable to ReDoS attack through its get_imports() function
Details

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "transformers"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.51.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-08T16:38:04Z",
    "nvd_published_at": "2025-07-07T10:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\\s*try\\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.",
  "id": "GHSA-jjph-296x-mrcr",
  "modified": "2025-07-08T16:38:04Z",
  "published": "2025-07-07T12:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/0720e206c6ba28887e4d60ef60a6a089f6c1cc76"
    },
    {
      "type": "WEB",
      "url": "https://github.com/huggingface/transformers/commit/126abe3461762e5fc180e7e614391d1b4ab051ca"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/huggingface/transformers"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/3c6f7822-9992-476d-8cf0-b0b1623427df"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Transformers vulnerable to ReDoS attack through its get_imports() function"
}

GHSA-JM96-7WVJ-J3R9

Vulnerability from github – Published: 2026-07-08 21:30 – Updated: 2026-07-08 21:30
VLAI
Details

A flaw was found in guardrails-detectors, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T20:16:48Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in `guardrails-detectors`, a component of Red Hat OpenShift AI. This vulnerability, known as Regular Expression Denial of Service (ReDoS), allows a remote attacker to provide specially crafted regular expressions to the public detection API. This can cause catastrophic backtracking, leading to a worker process consuming 100% CPU indefinitely and resulting in a denial of service for the entire guardrails-mediated LLM pipeline.",
  "id": "GHSA-jm96-7wvj-j3r9",
  "modified": "2026-07-08T21:30:27Z",
  "published": "2026-07-08T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15154"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-15154"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2498188"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JMP3-39VP-FWG8

Vulnerability from github – Published: 2024-07-11 13:21 – Updated: 2026-06-09 13:05
VLAI
Summary
Wagtail regular expression denial-of-service via search query parsing
Details

Impact

A bug in Wagtail's parse_query_string would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parse_query_string would take an unexpectedly large amount of time to process, resulting in a denial of service.

In an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses parse_query_string, it may be exploitable by other users (e.g. unauthenticated users).

Patches

Patched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.

This vulnerability affects all unpatched versions from Wagtail 2.0 onwards.

Workarounds

Site owners who are unable to upgrade to a patched version can limit the length of search terms passed to parse_query_string. Whilst the performance characteristics will depend on your hosting environment, 1000 characters has been shown to still be fairly fast, without triggering this vulnerability.

No workaround is available for the Wagtail admin usage.

Acknowledgements

Many thanks to Jake Howard for reporting this issue.

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0"
            },
            {
              "fixed": "6.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.1"
            },
            {
              "fixed": "6.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "wagtail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0"
            },
            {
              "fixed": "5.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39317"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-11T13:21:42Z",
    "nvd_published_at": "2024-07-11T16:15:02Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA bug in Wagtail\u0027s [`parse_query_string`](https://docs.wagtail.org/en/stable/topics/search/searching.html#wagtailsearch-query-string-parsing) would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string` would take an unexpectedly large amount of time to process, resulting in a denial of service.\n\nIn an initial Wagtail installation, the vulnerability can be exploited by any Wagtail admin user. It cannot be exploited by end users. If your Wagtail site has a custom search implementation which uses `parse_query_string`, it may be exploitable by other users (e.g. unauthenticated users).\n\n### Patches\n\nPatched versions have been released as Wagtail 5.2.6, 6.0.6 and 6.1.3.\n\nThis vulnerability affects all unpatched versions from Wagtail 2.0 onwards.\n\n### Workarounds\n\nSite owners who are unable to upgrade to a patched version can limit the length of search terms passed to `parse_query_string`. Whilst the performance characteristics will depend on your hosting environment, 1000 characters has been shown to still be fairly fast, without triggering this vulnerability.\n\nNo workaround is available for the Wagtail admin usage.\n\n### Acknowledgements\n\nMany thanks to [Jake Howard](https://github.com/RealOrangeOne) for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
  "id": "GHSA-jmp3-39vp-fwg8",
  "modified": "2026-06-09T13:05:34Z",
  "published": "2024-07-11T13:21:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-jmp3-39vp-fwg8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39317"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/31b1e8532dfb1b70d8d37d22aff9cbde9109cdf2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/3c941136f79c48446e3858df46e5b668d7f83797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wagtail/wagtail/commit/b783c096b6d4fd2cfc05f9137a0be288850e99a2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2024-86.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wagtail/wagtail"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wagtail regular expression denial-of-service via search query parsing"
}

GHSA-JQGV-3CH9-C9QV

Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 12:32
VLAI
Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression's susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-20T10:15:43Z",
    "severity": "HIGH"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary repository, specifically in the compileTextTemplate function. The affected version is git be54057. An attacker can exploit this vulnerability by manipulating the regular expression /{{(.*?)}}/g, causing the server to hang indefinitely and become unresponsive to any requests. This is due to the regular expression\u0027s susceptibility to second-degree polynomial time complexity, which can be triggered by a large number of braces in the input.",
  "id": "GHSA-jqgv-3ch9-c9qv",
  "modified": "2025-03-20T12:32:48Z",
  "published": "2025-03-20T12:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8763"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lunary-ai/lunary/commit/7ff89b0304d191534b924cf063f3648206d497fa"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/4fb63a6e-0056-4550-a34d-e161de1c13b8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JR9P-R423-9M2R

Vulnerability from github – Published: 2021-06-02 21:44 – Updated: 2024-09-30 20:15
VLAI
Summary
markdown2 Regular Expression Denial of Service
Details

markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "markdown2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.1.18"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-26813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T21:02:47Z",
    "nvd_published_at": "2021-03-03T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "markdown2 \u003e=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.",
  "id": "GHSA-jr9p-r423-9m2r",
  "modified": "2024-09-30T20:15:06Z",
  "published": "2021-06-02T21:44:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26813"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trentm/python-markdown2/pull/387"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trentm/python-markdown2/commit/7b651260739647de5198323e0445b1618750c374"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-jr9p-r423-9m2r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/markdown2/PYSEC-2021-20.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/trentm/python-markdown2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BRP5RN35JZTSJ3JT4722F447ZDK7LZS5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J752422YELXLMLZJPVJVKD2KKHHQRVEH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JTIX5UXRDJZJ57DO4V33ZNJTNKWGBQLY"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "markdown2 Regular Expression Denial of Service "
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.