VYPR

CWE-1333

Inefficient Regular Expression Complexity

BaseDraftLikelihood: High

Description

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-492

CVEs mapped to this weakness (332)

page 13 of 17
  • CVE-2018-25049Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is…

  • CVE-2015-10005Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this…

  • CVE-2021-35065Dec 26, 2022
    risk 0.00cvss epss 0.02

    The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.

  • CVE-2020-26302Dec 23, 2022
    risk 0.00cvss epss 0.01

    is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can…

  • CVE-2022-40898Dec 22, 2022
    risk 0.00cvss epss 0.03

    An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

  • CVE-2022-40897Dec 22, 2022
    risk 0.00cvss epss 0.03

    Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

  • CVE-2022-23517Dec 14, 2022
    risk 0.00cvss epss 0.01

    rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.…

  • CVE-2022-23514Dec 14, 2022
    risk 0.00cvss epss 0.02

    Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.…

  • CVE-2022-30122Dec 5, 2022
    risk 0.00cvss epss 0.02

    A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.

  • CVE-2022-42124Nov 15, 2022
    risk 0.00cvss epss 0.01

    ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive amount of server resources via a crafted…

  • CVE-2022-42966Nov 9, 2022
    risk 0.00cvss epss 0.01

    An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method

  • CVE-2022-42965Nov 9, 2022
    risk 0.00cvss epss 0.01

    An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method

  • CVE-2022-42964Nov 9, 2022
    risk 0.00cvss epss 0.01

    An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

  • CVE-2022-37620Oct 31, 2022
    risk 0.00cvss epss 0.01

    A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.

  • CVE-2022-25918Oct 27, 2022
    risk 0.00cvss epss 0.01

    The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.

  • CVE-2022-3517Oct 17, 2022
    risk 0.00cvss epss 0.02

    A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

  • CVE-2022-42969Oct 16, 2022
    risk 0.00cvss epss 0.02

    The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third…

  • CVE-2022-41323Oct 16, 2022
    risk 0.00cvss epss 0.03

    In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.

  • CVE-2022-37603Oct 14, 2022
    risk 0.00cvss epss 0.02

    A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

  • CVE-2022-37599Oct 11, 2022
    risk 0.00cvss epss 0.02

    A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.