CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-492
CVEs mapped to this weakness (332)
page 10 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-4437 | 0.00 | — | 0.00 | Feb 12, 2024 | A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type… | |||
| CVE-2024-21490 | 0.00 | — | 0.02 | Feb 10, 2024 | This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause… | |||
| CVE-2024-23732 | — | 0.00 | — | 0.01 | Jan 21, 2024 | The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py. | ||
| CVE-2023-50249 | 0.00 | — | 0.01 | Dec 20, 2023 | Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on… | |||
| CVE-2023-48631 | — | 0.00 | — | 0.01 | Dec 14, 2023 | @adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. | ||
| CVE-2023-26364 | — | 0.00 | — | 0.01 | Nov 17, 2023 | @adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges. | ||
| CVE-2023-46402 | — | 0.00 | — | 0.01 | Nov 17, 2023 | git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go. | ||
| CVE-2023-39619 | — | 0.00 | — | 0.01 | Oct 24, 2023 | ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component. | ||
| CVE-2023-45813 | 0.00 | — | 0.01 | Oct 18, 2023 | Torbot is an open source tor network intelligence tool. In affected versions the `torbot.modules.validators.validate_link function` uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause… | |||
| CVE-2023-4316 | 0.00 | — | 0.01 | Sep 28, 2023 | Zod in versions 3.21.0 up to and including 3.22.3 allows an attacker to perform a denial of service while validating emails. | |||
| CVE-2023-43646 | 0.00 | — | 0.01 | Sep 26, 2023 | get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious… | |||
| CVE-2023-39663 | — | 0.00 | — | 0.01 | Aug 29, 2023 | Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there… | ||
| CVE-2023-36543 | 0.00 | — | 0.01 | Jul 12, 2023 | Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected | |||
| CVE-2023-36053 | 0.00 | — | 0.03 | Jul 3, 2023 | In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. | |||
| CVE-2023-36617 | 0.00 | — | 0.02 | Jun 29, 2023 | A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this… | |||
| CVE-2023-26115 | — | 0.00 | — | 0.02 | Jun 22, 2023 | All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable. | ||
| CVE-2022-25883 | — | 0.00 | — | 0.03 | Jun 21, 2023 | Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range. | ||
| CVE-2023-33289 | — | 0.00 | — | 0.01 | Jun 21, 2023 | The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs. NOTE: the Supplier disputes this, taking the position that "Slow printing of URLs is not a CVE." | ||
| CVE-2023-33290 | — | 0.00 | — | 0.01 | Jun 12, 2023 | The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python). | ||
| CVE-2023-34104 | 0.00 | — | 0.01 | Jun 6, 2023 | fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can… |
- CVE-2021-4437Feb 12, 2024risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type…
- CVE-2024-21490Feb 10, 2024risk 0.00cvss —epss 0.02
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause…
- CVE-2024-23732Jan 21, 2024risk 0.00cvss —epss 0.01
The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.
- CVE-2023-50249Dec 20, 2023risk 0.00cvss —epss 0.01
Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on…
- CVE-2023-48631Dec 14, 2023risk 0.00cvss —epss 0.01
@adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.
- CVE-2023-26364Nov 17, 2023risk 0.00cvss —epss 0.01
@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges.
- CVE-2023-46402Nov 17, 2023risk 0.00cvss —epss 0.01
git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go.
- CVE-2023-39619Oct 24, 2023risk 0.00cvss —epss 0.01
ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.
- CVE-2023-45813Oct 18, 2023risk 0.00cvss —epss 0.01
Torbot is an open source tor network intelligence tool. In affected versions the `torbot.modules.validators.validate_link function` uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause…
- CVE-2023-4316Sep 28, 2023risk 0.00cvss —epss 0.01
Zod in versions 3.21.0 up to and including 3.22.3 allows an attacker to perform a denial of service while validating emails.
- CVE-2023-43646Sep 26, 2023risk 0.00cvss —epss 0.01
get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious…
- CVE-2023-39663Aug 29, 2023risk 0.00cvss —epss 0.01
Mathjax up to v2.7.9 was discovered to contain two Regular expression Denial of Service (ReDoS) vulnerabilities in MathJax.js via the components pattern and markdownPattern. NOTE: the vendor disputes this because the regular expressions are not applied to user input; thus, there…
- CVE-2023-36543Jul 12, 2023risk 0.00cvss —epss 0.01
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
- CVE-2023-36053Jul 3, 2023risk 0.00cvss —epss 0.03
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.
- CVE-2023-36617Jun 29, 2023risk 0.00cvss —epss 0.02
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this…
- CVE-2023-26115Jun 22, 2023risk 0.00cvss —epss 0.02
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
- CVE-2022-25883Jun 21, 2023risk 0.00cvss —epss 0.03
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
- CVE-2023-33289Jun 21, 2023risk 0.00cvss —epss 0.01
The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs. NOTE: the Supplier disputes this, taking the position that "Slow printing of URLs is not a CVE."
- CVE-2023-33290Jun 12, 2023risk 0.00cvss —epss 0.01
The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python).
- CVE-2023-34104Jun 6, 2023risk 0.00cvss —epss 0.01
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can…