Common Weakness Enumeration

CWE-1333

Allowed

Inefficient Regular Expression Complexity

Abstraction: Base · Status: Draft

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

725 vulnerabilities reference this CWE, most recent first.

GHSA-X4C5-C7RF-JJGV

Vulnerability from github – Published: 2025-02-14 17:56 – Updated: 2026-02-17 16:11
VLAI
Summary
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Details

Summary

By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.

Details

The issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:

headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);

The regular expression /[\w-]+(?=-preview)/g encounters a backtracking issue when it processes a large number of characters followed by the - symbol. e.g., the attack string:

"" + "A".repeat(100000) + "-"

PoC

The gist Here is the reproduction process for the vulnerability: 1. run npm i @octokit/endpoint 2. Move poc.js to the root directory of the same level as README.md 3. run node poc.js result: 4. then the program will be stuck forever with high CPU usage

import { endpoint } from "@octokit/endpoint";
// import { parse } from "./node_modules/@octokit/endpoint/dist-src/parse.js";
const options = {  
  method: "POST",
  url: "/graphql", // Ensure that the URL ends with "/graphql"
  headers: {
    accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
    "content-type": "text/plain",
  },
  mediaType: {
    previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
    format: "raw", // Optional media format
  },
  baseUrl: "https://api.github.com",
};

const startTime = performance.now();
endpoint.parse(options);
const endTime = performance.now();
const duration = endTime - startTime;
console.log(`Endpoint execution time: ${duration} ms`);
  1. Import the endpoint module: First, import the endpoint module from the npm package @octokit/endpoint, which is used for handling GitHub API requests.

  2. Construct the options object that triggers a ReDoS attack: The following member variables are critical in constructing the options object:

  3. url: Set to "/graphql", ensuring the URL ends with /graphql to match the format for GitHub's GraphQL API.
  4. headers:

    accept: A long attack string is crafted with "A".repeat(100000) + "-", which will be passed to the regular expression and cause a backtracking attack (ReDoS).

  5. mediaType:

    previews: Set to ["test-preview"], ensuring mediaType.previews exists and has values.

    format: Set to "raw", indicating raw data format.

  6. Call the endpoint.parse(options) function and record the time: Call the endpoint.parse(options) function and use performance.now() to record the start and end times, measuring the execution duration.

  7. Calculate the time difference and output it: Compute the difference between the start and end times and output it using console.log. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase. 2

Impact

What kind of vulnerability is it?

This is a Regular Expression Denial of Service (ReDoS) vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression /[\w-]+(?=-preview)/g is vulnerable because it attempts to match long strings of characters followed by a hyphen (-), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.

Who is impacted?

This vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking. In addition to directly affecting applications using the @octokit/endpoint package, the impact is more widespread because @octokit/endpoint is a library used to wrap REST APIs, including GitHub's API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests. Attackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of @octokit/endpoint.

Solution

To resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to (?<![\w-])[\w-]+(?=-preview), we prevent the issue. Here is how this change solves the problem:

  1. Old Regular Expression: /[\w-]+(?=-preview)/g
  2. This regular expression matches any sequence of word characters (\w) and hyphens (-) followed by -preview.
  3. The issue arises when the regex engine encounters a long string of characters followed by a -, causing excessive backtracking and high CPU usage.
  4. New Regular Expression: (?<![\w-])[\w-]+(?=-preview)
  5. This updated regular expression uses a negative lookbehind (?<![\w-]), ensuring that the matched string is not preceded by any word characters or hyphens (\w or -).
  6. The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn't cause backtracking issues when processing long attack strings.
  7. By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.

Full Solution Example:

The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62: 1. Update the Regular Expression: In the parse.ts file (or wherever the original regex is defined), replace the existing regular expression:

const previewsFromAcceptHeader =
          headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);

With the updated one:

const previewsFromAcceptHeader =
          headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || ([] as string[]);
  1. Test the Change: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:
  2. The functionality remains correct and the expected matches still occur.
  3. The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.
  4. Deploy the Fix: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/endpoint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.5"
            },
            {
              "fixed": "9.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@octokit/endpoint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25285"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-14T17:56:18Z",
    "nvd_published_at": "2025-02-14T20:15:34Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nBy crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.\n\n### Details\nThe issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n```ts\nheaders.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nThe regular expression `/[\\w-]+(?=-preview)/g` encounters a backtracking issue when it processes `a large number of characters` followed by the `-` symbol.\ne.g., the attack string: \n```js\n\"\" + \"A\".repeat(100000) + \"-\"\n```\n\n### PoC\n[The gist](https://gist.github.com/ShiyuBanzhou/a17202ac1ad403a80ca302466d5e56c4)\nHere is the reproduction process for the vulnerability:\n1. run `npm i @octokit/endpoint`\n2. Move `poc.js` to the root directory of the same level as `README.md`\n3. run `node poc.js`\nresult:\n4. then the program will be stuck forever with high CPU usage\n```js\nimport { endpoint } from \"@octokit/endpoint\";\n// import { parse } from \"./node_modules/@octokit/endpoint/dist-src/parse.js\";\nconst options = {  \n  method: \"POST\",\n  url: \"/graphql\", // Ensure that the URL ends with \"/graphql\"\n  headers: {\n    accept: \"\" + \"A\".repeat(100000) + \"-\", // Pass in the attack string\n    \"content-type\": \"text/plain\",\n  },\n  mediaType: {\n    previews: [\"test-preview\"], // Ensure that mediaType.previews exists and has values\n    format: \"raw\", // Optional media format\n  },\n  baseUrl: \"https://api.github.com\",\n};\n\nconst startTime = performance.now();\nendpoint.parse(options);\nconst endTime = performance.now();\nconst duration = endTime - startTime;\nconsole.log(`Endpoint execution time: ${duration} ms`);\n```\n1. **Import the `endpoint` module**: First, import the `endpoint` module from the npm package `@octokit/endpoint`, which is used for handling GitHub API requests.\n\n2. **Construct the `options` object that triggers a ReDoS attack**: The following member variables are critical in constructing the `options` object:\n- `url`: Set to `\"/graphql\"`, ensuring the URL ends with `/graphql` to match the format for GitHub\u0027s GraphQL API.\n- `headers`:\n\u003e `accept`: A long attack string is crafted with `\"A\".repeat(100000) + \"-\"`, which will be passed to the regular expression and cause a backtracking attack (ReDoS).\n\u003e \n- `mediaType`:\n\u003e`previews`: Set to `[\"test-preview\"]`, ensuring `mediaType.previews` exists and has values.\n\u003e\n\u003e`format`: Set to `\"raw\"`, indicating raw data format.\n\n3. **Call the `endpoint.parse(options)` function and record the time**: Call the `endpoint.parse(options)` function and use `performance.now()` to record the start and end times, measuring the execution duration.\n\n4. **Calculate the time difference and output it**: Compute the difference between the start and end times and output it using `console.log`. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase.\n\u003cimg width=\"800\" alt=\"2\" src=\"https://github.com/user-attachments/assets/9fc865a4-e150-42d5-bcd5-93ab6b0c29ef\" /\u003e\n\n### Impact\n#### What kind of vulnerability is it?\nThis is a **Regular Expression Denial of Service (ReDoS)** vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression `/[\\w-]+(?=-preview)/g` is vulnerable because it attempts to match long strings of characters followed by a hyphen (`-`), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.\n#### Who is impacted?\nThis vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking.\nIn addition to directly affecting applications using the `@octokit/endpoint` package, the impact is more widespread because `@octokit/endpoint` is a library used to wrap REST APIs, including GitHub\u0027s API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests.\nAttackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of `@octokit/endpoint`.\n\n### Solution\nTo resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to `(?\u003c![\\w-])[\\w-]+(?=-preview)`, we prevent the issue.\nHere is how this change solves the problem:\n\n1. **Old Regular Expression**: `/[\\w-]+(?=-preview)/g`\n- This regular expression matches any sequence of word characters (`\\w`) and hyphens (`-`) followed by `-preview`.\n- The issue arises when the regex engine encounters a long string of characters followed by a `-`, causing excessive backtracking and high CPU usage.\n2. **New Regular Expression**: `(?\u003c![\\w-])[\\w-]+(?=-preview)`\n- This updated regular expression uses a negative lookbehind `(?\u003c![\\w-])`, ensuring that the matched string is not preceded by any word characters or hyphens (`\\w` or `-`).\n- The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn\u0027t cause backtracking issues when processing long attack strings.\n- By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.\n\n#### Full Solution Example:\nThe specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n1. **Update the Regular Expression**: In the `parse.ts` file (or wherever the original regex is defined), replace the existing regular expression:\n```ts\nconst previewsFromAcceptHeader =\n          headers.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nWith the updated one:\n```ts\nconst previewsFromAcceptHeader =\n          headers.accept.match(/(?\u003c![\\w-])[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\n\n2. **Test the Change**: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:\n- The functionality remains correct and the expected matches still occur.\n- The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.\n3. **Deploy the Fix**: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.",
  "id": "GHSA-x4c5-c7rf-jjgv",
  "modified": "2026-02-17T16:11:00Z",
  "published": "2025-02-14T17:56:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octokit/endpoint.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}

GHSA-X4HG-HFWF-P9MW

Vulnerability from github – Published: 2026-07-02 20:20 – Updated: 2026-07-02 20:20
VLAI
Summary
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Details

Summary

The HTMLInputElement.checkValidity() method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.

Fix

Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on main. Added: - Pattern length limit (1024 characters) - Nested quantifier detection (hasNestedQuantifiers) that rejects patterns like (a+)+ before constructing the regex - Patterns exceeding limits are treated as non-matching (safe default)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.21"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@asymmetric-effort/nogginlessdom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:20:04Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe `HTMLInputElement.checkValidity()` method constructed a `RegExp` directly from the user-controlled `pattern` property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop.\n\n## Fix\n\nFixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on `main`. Added:\n- Pattern length limit (1024 characters)\n- Nested quantifier detection (`hasNestedQuantifiers`) that rejects patterns like `(a+)+` before constructing the regex\n- Patterns exceeding limits are treated as non-matching (safe default)",
  "id": "GHSA-x4hg-hfwf-p9mw",
  "modified": "2026-07-02T20:20:04Z",
  "published": "2026-07-02T20:20:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/NogginLessDom/security/advisories/GHSA-x4hg-hfwf-p9mw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/asymmetric-effort/NogginLessDom"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation"
}

GHSA-X55W-VJJP-222R

Vulnerability from github – Published: 2021-09-29 17:12 – Updated: 2022-08-10 23:43
VLAI
Summary
inflect vulnerable to Inefficient Regular Expression Complexity
Details

inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-28T19:27:17Z",
    "nvd_published_at": "2021-09-27T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "inflect is customizable inflections for nodejs. inflect is vulnerable to Inefficient Regular Expression Complexity",
  "id": "GHSA-x55w-vjjp-222r",
  "modified": "2022-08-10T23:43:58Z",
  "published": "2021-09-29T17:12:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3820"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pksunkara/inflect/commit/a9a0a8e9561c3487854c7cae42565d9652ec858b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pksunkara/inflect"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/4612b31a-072b-4f61-a916-c7e4cbc2042a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "inflect vulnerable to Inefficient Regular Expression Complexity"
}

GHSA-X5CV-MQXQ-8Q96

Vulnerability from github – Published: 2023-05-05 00:30 – Updated: 2024-04-04 03:49
VLAI
Details

A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-04T23:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.",
  "id": "GHSA-x5cv-mqxq-8q96",
  "modified": "2024-04-04T03:49:17Z",
  "published": "2023-05-05T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1894"
    },
    {
      "type": "WEB",
      "url": "https://www.puppet.com/security/cve/cve-2023-1894-puppet-server-redos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X5GF-QVW8-R2RM

Vulnerability from github – Published: 2025-06-09 21:30 – Updated: 2026-05-20 02:06
VLAI
Summary
pm2 Regular Expression Denial of Service vulnerability
Details

A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "pm2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T22:52:17Z",
    "nvd_published_at": "2025-06-09T19:15:25Z",
    "severity": "LOW"
  },
  "details": "A vulnerability classified as problematic was found in Unitech pm2 prior to 7.0.0. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-x5gf-qvw8-r2rm",
  "modified": "2026-05-20T02:06:26Z",
  "published": "2025-06-09T21:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/issues/6075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/pull/5971"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/commit/8b9354800a1d157cb9503a3ec414ef1e4700dc1c"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Unitech/pm2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/blob/ba62cae9b9b7116ee758b70f538919a52515fa26/CHANGELOG.md?plain=1#L36"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Unitech/pm2/releases/tag/v7.0.0"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.311662"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.311662"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.585750"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "pm2 Regular Expression Denial of Service vulnerability"
}

GHSA-X6FG-F45M-JF5Q

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2026-03-03 20:03
VLAI
Summary
Regular Expression Denial of Service in semver
Details

Versions 4.3.1 and earlier of semver are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Recommendation

Update to version 4.3.2 or later

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "semver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.4"
            },
            {
              "fixed": "4.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-8855"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:02:25Z",
    "nvd_published_at": "2017-01-23T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\n\n\n\n## Recommendation\n\nUpdate to version 4.3.2 or later",
  "id": "GHSA-x6fg-f45m-jf5q",
  "modified": "2026-03-03T20:03:27Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8855"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/7102"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-semver/commit/5c4c9f6e26c7052a42b5ced2a7481c5c9b4363a0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/npm/node-semver/commit/c80180d8341a8ada0236815c29a2be59864afd70"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x6fg-f45m-jf5q"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/npm/node-semver"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/31"
    },
    {
      "type": "WEB",
      "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/86957"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in semver"
}

GHSA-XFFM-G5W8-QVG7

Vulnerability from github – Published: 2025-07-18 20:39 – Updated: 2025-07-28 17:34
VLAI
Summary
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
Details

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require("@eslint/plugin-kit");

const str = `${"A".repeat(1000000)}?: 1 B: 2`;

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")

// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage

Impact

This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@eslint/plugin-kit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-18T20:39:12Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.\n\n### Details\n\nThe regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`.\n\n### PoC\n\n```javascript\nconst { ConfigCommentParser } = require(\"@eslint/plugin-kit\");\n\nconst str = `${\"A\".repeat(1000000)}?: 1 B: 2`;\n\nconsole.log(\"start\")\nvar parser = new ConfigCommentParser();\nconsole.log(parser.parseJSONLikeConfig(str));\nconsole.log(\"end\")\n\n// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`\n// then the program will stuck forever with high CPU usage\n```\n\n### Impact\n\nThis is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.",
  "id": "GHSA-xffm-g5w8-qvg7",
  "modified": "2025-07-28T17:34:44Z",
  "published": "2025-07-18T20:39:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eslint/rewrite/security/advisories/GHSA-xffm-g5w8-qvg7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eslint/rewrite"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser"
}

GHSA-XH9H-692F-MMG4

Vulnerability from github – Published: 2025-08-20 03:30 – Updated: 2025-08-29 20:14
VLAI
Summary
Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module
Details

Withdrawn Advisory

This advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack's intended functionality. The maintainer states the following:

These CVEs are invalid. Knack is a CLI framework used by Azure CLI. It's a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.

This link is maintained to preserve external references.

Original Description

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "knack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54364"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T15:01:00Z",
    "nvd_published_at": "2025-08-20T03:15:35Z",
    "severity": "LOW"
  },
  "details": "### Withdrawn Advisory\nThis advisory has been withdrawn because the attack surface of this vulnerability is outside of Knack\u0027s intended functionality. The maintainer states the following:\n\n\u003e These CVEs are invalid. Knack is a CLI framework used by [Azure CLI](https://github.com/Azure/azure-cli). It\u0027s a local library, not a web service. In addition, the regex is used to extract function and parameter docstrings from the source code. It is not used to match user input. Therefore, it does not expose any attack surface. There is no way to use it for ReDoS attack.\n\nThis link is maintained to preserve external references.\n\n### Original Description\nMicrosoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).",
  "id": "GHSA-xh9h-692f-mmg4",
  "modified": "2025-08-29T20:14:37Z",
  "published": "2025-08-20T03:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54364"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/knack/issues/281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/knack/issues/281#issuecomment-3218922941"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/knack"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/microsoft-knack-python-package-regular-expression-dos"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Withdrawn Advisory: Microsoft Knack ReDoS Vulnerability in the Introspection Module",
  "withdrawn": "2025-08-29T20:14:37Z"
}

GHSA-XMC8-CJFR-PHX3

Vulnerability from github – Published: 2019-03-18 15:59 – Updated: 2021-09-21 22:36
VLAI
Summary
Regular Expression Denial of Service in highcharts
Details

Versions of highcharts prior to 6.1.0 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 6.1.0 or higher.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "highcharts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-20801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:03:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `highcharts` prior to 6.1.0 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 6.1.0 or higher.",
  "id": "GHSA-xmc8-cjfr-phx3",
  "modified": "2021-09-21T22:36:57Z",
  "published": "2019-03-18T15:59:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20801"
    },
    {
      "type": "WEB",
      "url": "https://github.com/highcharts/highcharts/commit/7c547e1e0f5e4379f94396efd559a566668c0dfa"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-xmc8-cjfr-phx3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/highcharts/highcharts"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190715-0001"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:highcharts:20180225"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/793"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Regular Expression Denial of Service in highcharts"
}

GHSA-XQ93-2HG3-RPJX

Vulnerability from github – Published: 2025-10-30 15:32 – Updated: 2025-10-30 15:32
VLAI
Details

Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-5342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-30T15:15:40Z",
    "severity": "MODERATE"
  },
  "details": "Zohocorp ManageEngine Exchange Reporter Plus through 5721 are vulnerable to ReDOS vulnerability in the search module.",
  "id": "GHSA-xq93-2hg3-rpjx",
  "modified": "2025-10-30T15:32:37Z",
  "published": "2025-10-30T15:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5342"
    },
    {
      "type": "WEB",
      "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5342.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Mitigation
System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Mitigation
Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Mitigation
Implementation

Limit the length of the input that the regular expression will process.

CAPEC-492: Regular Expression Exponential Blowup

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.