CWE-1333
AllowedInefficient Regular Expression Complexity
Abstraction: Base · Status: Draft
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
725 vulnerabilities reference this CWE, most recent first.
GHSA-WQXW-8H5G-HQ56
Vulnerability from github – Published: 2023-02-02 01:33 – Updated: 2023-02-15 17:35Impact
Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).
Patches
Patched in 3.1.4
Workarounds
Avoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "switcher-client"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-23925"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-02T01:33:06Z",
"nvd_published_at": "2023-02-03T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nUnsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack (reDOS).\n\n### Patches\nPatched in 3.1.4\n\n### Workarounds\nAvoid using Strategy settings that use REGEX in conjunction with EXIST and NOT_EXIST operations.",
"id": "GHSA-wqxw-8h5g-hq56",
"modified": "2023-02-15T17:35:36Z",
"published": "2023-02-02T01:33:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/switcherapi/switcher-client-master/security/advisories/GHSA-wqxw-8h5g-hq56"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23925"
},
{
"type": "WEB",
"url": "https://github.com/switcherapi/switcher-client-master/commit/374752563d6ce9353ee592b40c809c8136f24930"
},
{
"type": "PACKAGE",
"url": "https://github.com/switcherapi/switcher-client-master"
},
{
"type": "WEB",
"url": "https://github.com/switcherapi/switcher-client-master/releases/tag/v3.1.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Switcher Client contains Regular Expression Denial of Service (ReDoS)"
}
GHSA-WRXC-QW43-C96X
Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2025-03-31 15:30Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package.
{
"affected": [],
"aliases": [
"CVE-2023-0881"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T14:15:18Z",
"severity": "HIGH"
},
"details": "Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package.",
"id": "GHSA-wrxc-qw43-c96x",
"modified": "2025-03-31T15:30:48Z",
"published": "2025-03-31T15:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0881"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/2006397"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WWHV-WXV9-RPGW
Vulnerability from github – Published: 2024-10-15 23:35 – Updated: 2024-12-02 19:53There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.
Impact
Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2
Credits
Thanks to ooooooo_q for the report!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.1.7.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "7.1.0"
},
{
"fixed": "7.1.4.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actiontext"
},
"ranges": [
{
"events": [
{
"introduced": "7.2.0"
},
{
"fixed": "7.2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47888"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-15T23:35:36Z",
"nvd_published_at": "2024-10-16T21:15:13Z",
"severity": "MODERATE"
},
"details": "There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.\n\nImpact\n------\n\nCarefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2\n\nCredits\n-------\n\nThanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!",
"id": "GHSA-wwhv-wxv9-rpgw",
"modified": "2024-12-02T19:53:42Z",
"published": "2024-10-15T23:35:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text"
}
GHSA-WWR9-4GMR-XVQ9
Vulnerability from github – Published: 2025-03-20 12:32 – Updated: 2025-03-20 19:44A vulnerability in the /3/Parse endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "h2o"
},
"ranges": [
{
"events": [
{
"introduced": "3.30.0.7"
},
{
"last_affected": "3.46.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "ai.h2o:h2o-core"
},
"ranges": [
{
"events": [
{
"introduced": "3.30.0.7"
},
{
"last_affected": "3.46.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-10549"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-20T19:44:43Z",
"nvd_published_at": "2025-03-20T10:15:17Z",
"severity": "HIGH"
},
"details": "A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an attacker can exhaust all available threads, leading to a complete denial of service.",
"id": "GHSA-wwr9-4gmr-xvq9",
"modified": "2025-03-20T19:44:43Z",
"published": "2025-03-20T12:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10549"
},
{
"type": "PACKAGE",
"url": "https://github.com/h2oai/h2o-3"
},
{
"type": "WEB",
"url": "https://github.com/h2oai/h2o-3/blob/51c25940ded8b7d0acc8f3f72329fd9dedbb3a34/h2o-core/src/main/java/water/api/ParseHandler.java#L80"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/ce7bd2d6-fd38-440d-a91a-dd8f3fc06bc2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint"
}
GHSA-WX3G-P9W5-PP6M
Vulnerability from github – Published: 2024-06-13 00:31 – Updated: 2024-06-13 00:31An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.
{
"affected": [],
"aliases": [
"CVE-2024-1963"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-12T23:15:49Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab\u0027s Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests.",
"id": "GHSA-wx3g-p9w5-pp6m",
"modified": "2024-06-13T00:31:23Z",
"published": "2024-06-13T00:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1963"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2376482"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2024/06/12/patch-release-gitlab-17-0-2-released/#redos-in-asana-integration-issue-mapping-when-webhook-is-called"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/443577"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXGH-8GMR-3QH3
Vulnerability from github – Published: 2023-01-07 18:30 – Updated: 2023-01-12 23:43A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "terminal-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-4306"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-12T23:43:03Z",
"nvd_published_at": "2023-01-07T17:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation leads to inefficient regular expression complexity. Upgrading to version 2.1.8 can address this issue. The name of the patch is a2e446cc3927b559d0281683feb9b821e83b758c. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-217620.",
"id": "GHSA-wxgh-8gmr-3qh3",
"modified": "2023-01-12T23:43:03Z",
"published": "2023-01-07T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4306"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/terminal-kit/commit/a2e446cc3927b559d0281683feb9b821e83b758c"
},
{
"type": "PACKAGE",
"url": "https://github.com/cronvel/terminal-kit"
},
{
"type": "WEB",
"url": "https://github.com/cronvel/terminal-kit/releases/tag/v2.1.8"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.217620"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.217620"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "terminal-kit Inefficient Regular Expression Complexity vulnerability"
}
GHSA-WXHQ-PM8V-CW75
Vulnerability from github – Published: 2019-06-05 20:50 – Updated: 2020-08-31 18:35Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Recommendation
Upgrade to version 4.1.11 or higher.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "clean-css"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-05T20:49:47Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Version of `clean-css` prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 4.1.11 or higher.",
"id": "GHSA-wxhq-pm8v-cw75",
"modified": "2020-08-31T18:35:40Z",
"published": "2019-06-05T20:50:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/785"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Regular Expression Denial of Service in clean-css"
}
GHSA-X2V6-6Q9M-6QX9
Vulnerability from github – Published: 2023-09-29 09:30 – Updated: 2024-04-04 07:58An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.
{
"affected": [],
"aliases": [
"CVE-2023-3906"
],
"database_specific": {
"cwe_ids": [
"CWE-1287",
"CWE-1333",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-29T07:15:13Z",
"severity": "LOW"
},
"details": "An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.",
"id": "GHSA-x2v6-6q9m-6qx9",
"modified": "2024-04-04T07:58:08Z",
"published": "2023-09-29T09:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3906"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2071411"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/419213"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X38Q-XG2H-RXGX
Vulnerability from github – Published: 2021-09-23 23:14 – Updated: 2024-09-27 21:45Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.1"
},
"package": {
"ecosystem": "PyPI",
"name": "leo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-23478"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-697"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-23T16:37:27Z",
"nvd_published_at": "2021-09-22T20:15:00Z",
"severity": "HIGH"
},
"details": "Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.",
"id": "GHSA-x38q-xg2h-rxgx",
"modified": "2024-09-27T21:45:23Z",
"published": "2021-09-23T23:14:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23478"
},
{
"type": "WEB",
"url": "https://github.com/leo-editor/leo-editor/issues/1597"
},
{
"type": "WEB",
"url": "https://github.com/leo-editor/leo-editor/commit/029833689060ee73f1bc1708cf4b182f0c66ec8e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-x38q-xg2h-rxgx"
},
{
"type": "WEB",
"url": "https://github.com/leo-editor/leo-editor"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/leo/PYSEC-2021-338.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Regular Expression Denial of Service in Leo Editor"
}
GHSA-X3V3-8XG8-8V72
Vulnerability from github – Published: 2023-12-18 20:00 – Updated: 2023-12-28 22:03Impact
A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).
Applications that are using Sentry's Astro SDK are affected if:
- They're using Sentry instrumentation:
- they have manually registered Sentry Middleware (affected versions 7.78.0-7.86.0);
- or configured Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn’t disable the automatic server instrumentation (affected versions 7.82.0-7.86.0).
- They have configured routes with at least two path params (e.g.
/foo/[p1]/bar/[p2]).
Patches
The problem has been patched in @sentry/astro@7.87.0. The corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815
Workarounds
We strongly recommend upgrading to the latest SDK version. However, if it's not possible, the steps to mitigate the vulnerability without upgrade are: * disable auto instrumentation if you're using Astro 3.5.0 or newer * and remove the manually added Sentry middleware (if it was added before).
After these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can.
References
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@sentry/astro"
},
"ranges": [
{
"events": [
{
"introduced": "7.78.0"
},
{
"fixed": "7.87.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50249"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-18T20:00:55Z",
"nvd_published_at": "2023-12-20T14:15:21Z",
"severity": "HIGH"
},
"details": "### Impact\nA ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry\u0027s Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS).\n\nApplications that are using Sentry\u0027s Astro SDK are affected if:\n\n1. They\u0027re using Sentry instrumentation:\n - they have [manually registered](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) Sentry Middleware (affected versions 7.78.0-7.86.0);\n - or [configured](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#configure-server-instrumentation) Astro in SSR (server) or hybrid mode, use Astro 3.5.0 and newer and didn\u2019t [disable the automatic server instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) (affected versions 7.82.0-7.86.0).\n2. They have configured routes with at least two path params (e.g. `/foo/[p1]/bar/[p2]`).\n\n### Patches\nThe problem has been patched in [@sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0).\nThe corresponding PR: https://github.com/getsentry/sentry-javascript/pull/9815\n\n### Workarounds\nWe strongly recommend upgrading to the latest SDK version. However, if it\u0027s not possible, the steps to mitigate the vulnerability without upgrade are:\n* [disable auto instrumentation](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation) if you\u0027re using Astro 3.5.0 or newer\n* and remove the manually added Sentry middleware (if it was [added](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#manually-add-server-instrumentation) before).\n\nAfter these changes, Sentry error reporting will still be functional, but some details such as server-side transactions (and consequently, distributed traces between client and server) will be omitted. We therefore still recommend to update to 7.87.0 as soon as you can. \n\n### References\n* [Sentry docs: Manual Setup for Astro](https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/)\n* [Release notes: sentry-javascript 7.87.0](https://github.com/getsentry/sentry-javascript/releases/tag/7.87.0)\n* [npm: @sentry/astro@7.87.0](https://www.npmjs.com/package/@sentry/astro/v/7.87.0)",
"id": "GHSA-x3v3-8xg8-8v72",
"modified": "2023-12-28T22:03:19Z",
"published": "2023-12-18T20:00:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50249"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/pull/9815"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb"
},
{
"type": "WEB",
"url": "https://docs.sentry.io/platforms/javascript/guides/astro/manual-setup/#disable-auto-server-instrumentation"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry-javascript"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@sentry/astro/v/7.87.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Sentry\u0027s Astro SDK vulnerable to ReDoS"
}
Mitigation
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.