CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-492
CVEs mapped to this weakness (332)
page 13 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-25049 | — | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is… | ||
| CVE-2015-10005 | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this… | |||
| CVE-2021-35065 | — | 0.00 | — | 0.02 | Dec 26, 2022 | The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. | ||
| CVE-2020-26302 | 0.00 | — | 0.01 | Dec 23, 2022 | is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can… | |||
| CVE-2022-40898 | — | 0.00 | — | 0.03 | Dec 22, 2022 | An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. | ||
| CVE-2022-40897 | — | 0.00 | — | 0.03 | Dec 22, 2022 | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | ||
| CVE-2022-23517 | 0.00 | — | 0.01 | Dec 14, 2022 | rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.… | |||
| CVE-2022-23514 | 0.00 | — | 0.02 | Dec 14, 2022 | Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.… | |||
| CVE-2022-30122 | 0.00 | — | 0.02 | Dec 5, 2022 | A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. | |||
| CVE-2022-42124 | 0.00 | — | 0.01 | Nov 15, 2022 | ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted… | |||
| CVE-2022-42966 | 0.00 | — | 0.01 | Nov 9, 2022 | An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method | |||
| CVE-2022-42965 | — | 0.00 | — | 0.01 | Nov 9, 2022 | An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method | ||
| CVE-2022-42964 | 0.00 | — | 0.01 | Nov 9, 2022 | An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method | |||
| CVE-2022-37620 | — | 0.00 | — | 0.01 | Oct 31, 2022 | A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression. | ||
| CVE-2022-25918 | — | 0.00 | — | 0.01 | Oct 27, 2022 | The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. | ||
| CVE-2022-3517 | 0.00 | — | 0.02 | Oct 17, 2022 | A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. | |||
| CVE-2022-42969 | — | 0.00 | — | 0.02 | Oct 16, 2022 | The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third… | ||
| CVE-2022-41323 | 0.00 | — | 0.03 | Oct 16, 2022 | In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. | |||
| CVE-2022-37603 | — | 0.00 | — | 0.02 | Oct 14, 2022 | A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. | ||
| CVE-2022-37599 | — | 0.00 | — | 0.02 | Oct 11, 2022 | A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. |
- CVE-2018-25049Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is…
- CVE-2015-10005Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this…
- CVE-2021-35065Dec 26, 2022risk 0.00cvss —epss 0.02
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
- CVE-2020-26302Dec 23, 2022risk 0.00cvss —epss 0.01
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can…
- CVE-2022-40898Dec 22, 2022risk 0.00cvss —epss 0.03
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
- CVE-2022-40897Dec 22, 2022risk 0.00cvss —epss 0.03
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
- CVE-2022-23517Dec 14, 2022risk 0.00cvss —epss 0.01
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.…
- CVE-2022-23514Dec 14, 2022risk 0.00cvss —epss 0.02
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.…
- CVE-2022-30122Dec 5, 2022risk 0.00cvss —epss 0.02
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
- CVE-2022-42124Nov 15, 2022risk 0.00cvss —epss 0.01
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted…
- CVE-2022-42966Nov 9, 2022risk 0.00cvss —epss 0.01
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method
- CVE-2022-42965Nov 9, 2022risk 0.00cvss —epss 0.01
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method
- CVE-2022-42964Nov 9, 2022risk 0.00cvss —epss 0.01
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method
- CVE-2022-37620Oct 31, 2022risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.
- CVE-2022-25918Oct 27, 2022risk 0.00cvss —epss 0.01
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
- CVE-2022-3517Oct 17, 2022risk 0.00cvss —epss 0.02
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
- CVE-2022-42969Oct 16, 2022risk 0.00cvss —epss 0.02
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third…
- CVE-2022-41323Oct 16, 2022risk 0.00cvss —epss 0.03
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
- CVE-2022-37603Oct 14, 2022risk 0.00cvss —epss 0.02
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
- CVE-2022-37599Oct 11, 2022risk 0.00cvss —epss 0.02
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.