FKIE_CVE-2026-21868

Vulnerability from fkie_nvd - Published: 2026-01-08 01:15 - Updated: 2026-01-20 18:47
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
References
security-advisories@github.comhttps://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcxVendor Advisory
Impacted products
Vendor Product Version
flagforge flagforge *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FF98A9BF-17BE-4FBF-9D72-725005A165C8",
              "versionEndExcluding": "2.3.3",
              "versionStartIncluding": "2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path."
    },
    {
      "lang": "es",
      "value": "Flag Forge es una plataforma de Capture The Flag (CTF). Las versiones 2.3.2 e inferiores tienen una vulnerabilidad de denegaci\u00f3n de servicio por expresi\u00f3n regular (ReDoS) en el endpoint de la API de perfil de usuario (/api/user/[username]). La aplicaci\u00f3n construye una expresi\u00f3n regular din\u00e1micamente utilizando entrada de usuario sin escapar (el par\u00e1metro username). Un atacante puede explotar esto enviando un nombre de usuario especialmente dise\u00f1ado que contenga metacaracteres de regex (p. ej., grupos anidados profundamente o cuantificadores), lo que provoca que el motor de regex de MongoDB consuma recursos excesivos de CPU. Esto puede llevar a la denegaci\u00f3n de servicio para otros usuarios. El problema est\u00e1 solucionado en la versi\u00f3n 2.3.3. Como soluci\u00f3n alternativa a este problema, implemente una regla de cortafuegos de aplicaciones web (WAF) para bloquear las solicitudes que contengan metacaracteres de regex en la ruta URL."
    }
  ],
  "id": "CVE-2026-21868",
  "lastModified": "2026-01-20T18:47:56.220",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-08T01:15:55.483",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.