Inefficient Regular Expression Complexity in TorBot
Description
Torbot is an open source tor network intelligence tool. In affected versions the torbot.modules.validators.validate_link function uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause an application crash using a well-crafted argument. An attacker can use a well-crafted URL argument to exploit the vulnerability in the regular expression and cause a Denial of Service on the system. The validators file has been removed in version 4.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-45813: A ReDoS vulnerability in Torbot's URL validation allows attackers to cause Denial of Service via a crafted URL.
Vulnerability
Description
CVE-2023-45813 is a Regular Expression Denial of Service (ReDoS) vulnerability in Torbot, an open-source Tor network intelligence tool. The flaw exists in the torbot.modules.validators.validate_link function, which uses the python-validators library's URL validation regex. This regex exhibits exponential complexity, meaning that a carefully crafted input can cause the regex engine to consume excessive CPU time, leading to an application hang or crash [1].
Exploitation
An attacker can exploit this vulnerability by providing a well-crafted URL argument to the affected function. No authentication is required; the attack vector is remote, as Torbot likely processes user-supplied URLs during its operation. The malicious input triggers the exponential backtracking behavior in the regex, resulting in a Denial of Service condition against the system running Torbot [1].
Impact and
Mitigation
Successful exploitation allows an attacker to cause a Denial of Service, potentially disrupting the Torbot tool's availability for intelligence-gathering tasks. The project maintainers removed the vulnerable validators.py file in version 4.0.0, as shown in the referencing commit [3]. Users are strongly advised to upgrade to version 4.0.0 or later. There are no known workarounds for this vulnerability [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
torbotPyPI | < 4.0.0 | 4.0.0 |
Affected products
3< 4.0.0+ 1 more
- (no CPE)range: < 4.0.0
- (no CPE)range: < 4.0.0
Patches
1ef6e06bc7785remove unused validators file
1 file changed · +0 −13
torbot/modules/validators.py+0 −13 removed@@ -1,13 +0,0 @@ -import validators - - -def validate_email(email): - if not isinstance(email, str): - return False - return validators.email(email) - - -def validate_link(link): - if not isinstance(link, str): - return False - return validators.url(link)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-72qw-p7hh-m3ffghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-45813ghsaADVISORY
- gist.github.com/ikkebr/6041055314f1cfb8e65b2a1acbaae12cghsaWEB
- github.com/DedSecInside/TorBot/blob/d2b89192379ad033ffc7044efff26e16ccc02d5a/torbot/modules/validators.pyghsaWEB
- github.com/DedSecInside/TorBot/commit/ef6e06bc7785355b1701d5524eb4550441086ac4ghsax_refsource_MISCWEB
- github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ffghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.