VYPR

CWE-1333

Inefficient Regular Expression Complexity

BaseDraftLikelihood: High

Description

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-492

CVEs mapped to this weakness (332)

page 1 of 17
  • CVE-2026-52778CriJun 8, 2026
    risk 0.57cvss 9.8epss 0.01

    YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator (CalcField.php) of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular…

  • CVE-2026-35458CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.01

    Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.

  • CVE-2025-6998HigJul 24, 2025
    risk 0.57cvss epss 0.01

    ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects…

  • CVE-2020-26310HigOct 26, 2024
    risk 0.57cvss epss 0.00

    Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are…

  • CVE-2020-26307HigOct 26, 2024
    risk 0.57cvss epss 0.00

    HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

  • CVE-2026-25547CriFeb 4, 2026
    risk 0.53cvss epss 0.00

    @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated…

  • CVE-2026-47138HigJun 12, 2026
    risk 0.50cvss epss 0.01

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.77 and 9.9.1-alpha.1, an unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK…

  • CVE-2026-33079HigMay 6, 2026
    risk 0.50cvss epss 0.00

    In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles…

  • CVE-2025-58451HigSep 8, 2025
    risk 0.50cvss epss 0.00

    Cattown is a JavaScript markdown parser. Versions prior to 1.0.2 used regular expressions with inefficient, potentially exponential worst-case complexity. This could cause excessive CPU usage due to excessive backtracking on crafted inputs. In turn, the excessive CPU usage could…

  • CVE-2020-26309HigOct 26, 2024
    risk 0.50cvss epss 0.00

    Validate.js provides a declarative way of validating javascript objects. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any patches are available.

  • CVE-2020-26306HigOct 26, 2024
    risk 0.50cvss epss 0.00

    Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no…

  • CVE-2026-8888HigJun 3, 2026
    risk 0.49cvss 7.5epss 0.00

    Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic…

  • CVE-2026-9496HigMay 26, 2026
    risk 0.49cvss 7.5epss 0.00

    Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and…

  • CVE-2026-41040HigApr 23, 2026
    risk 0.49cvss 7.5epss 0.00

    GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.

  • CVE-2026-35611HigApr 7, 2026
    risk 0.49cvss 7.5epss 0.00

    Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic…

  • CVE-2026-4867HigMar 26, 2026
    risk 0.49cvss 7.5epss 0.01

    Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in path-to-regexp@0.1.12 only prevents…

  • CVE-2025-70030HigMar 9, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.

  • CVE-2025-70034HigMar 9, 2026
    risk 0.49cvss 7.5epss 0.00

    An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in mscdex ssh2 v1.17.0.

  • CVE-2025-10990HigFeb 27, 2026
    risk 0.49cvss 7.5epss 0.00

    A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial of Service (ReDoS), impacting the availability of…

  • CVE-2024-7779HigMar 20, 2025
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable.