CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-492
CVEs mapped to this weakness (332)
page 2 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-46242 | Hig | 0.49 | 7.5 | 0.01 | Jan 7, 2025 | An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration. | ||
| CVE-2024-25885 | Hig | 0.49 | 7.5 | 0.01 | Oct 8, 2024 | An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string. | ||
| CVE-2024-39249 | Hig | 0.49 | 7.5 | 0.01 | Jul 1, 2024 | Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input. | ||
| CVE-2024-28716 | Hig | 0.49 | 7.5 | 0.01 | Apr 30, 2024 | An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component. | ||
| CVE-2024-22363 | Hig | 0.49 | 7.5 | 0.01 | Apr 5, 2024 | SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS). | ||
| CVE-2024-25354 | Hig | 0.49 | 7.5 | 0.01 | Mar 27, 2024 | RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function. | ||
| CVE-2015-8858 | Hig | 0.49 | 7.5 | 0.02 | Jan 23, 2017 | The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)." | ||
| CVE-2015-8854 | Hig | 0.49 | 7.5 | 0.04 | Jan 23, 2017 | The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)." | ||
| CVE-2015-8315 | Hig | 0.49 | 7.5 | 0.07 | Jan 23, 2017 | The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | ||
| CVE-2025-54364 | Med | 0.45 | — | 0.00 | Aug 20, 2025 | Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing… | ||
| CVE-2025-54363 | Med | 0.45 | — | 0.00 | Aug 20, 2025 | Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when… | ||
| CVE-2024-52798 | Hig | 0.43 | — | 0.01 | Dec 5, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of… | ||
| CVE-2026-44496 | Hig | 0.42 | 7.5 | 0.00 | Jun 11, 2026 | Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser… | ||
| CVE-2026-42567 | Hig | 0.42 | 7.5 | 0.00 | Jun 9, 2026 | Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7. | ||
| CVE-2026-8159 | Hig | 0.42 | 7.5 | 0.00 | May 12, 2026 | multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event… | ||
| CVE-2026-39320 | Hig | 0.42 | 7.5 | 0.00 | Apr 21, 2026 | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex… | ||
| CVE-2026-35213 | Hig | 0.42 | 7.5 | 0.00 | Apr 6, 2026 | @hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers… | ||
| CVE-2026-33671 | Hig | 0.42 | 7.5 | 0.00 | Mar 26, 2026 | Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when… | ||
| CVE-2026-4926 | Hig | 0.42 | 7.5 | 0.00 | Mar 26, 2026 | Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. … | ||
| CVE-2026-28356 | — | Hig | 0.42 | 7.5 | 0.00 | Mar 12, 2026 | multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously… |
- risk 0.49cvss 7.5epss 0.01
An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.
- risk 0.49cvss 7.5epss 0.01
An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via supplying a crafted string.
- risk 0.49cvss 7.5epss 0.01
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
- risk 0.49cvss 7.5epss 0.01
An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.
- risk 0.49cvss 7.5epss 0.01
SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).
- risk 0.49cvss 7.5epss 0.01
RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.
- risk 0.49cvss 7.5epss 0.02
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
- risk 0.49cvss 7.5epss 0.04
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
- risk 0.49cvss 7.5epss 0.07
The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
- risk 0.45cvss —epss 0.00
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing…
- risk 0.45cvss —epss 0.00
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when…
- risk 0.43cvss —epss 0.01
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of…
- risk 0.42cvss 7.5epss 0.00
Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser…
- risk 0.42cvss 7.5epss 0.00
Svelte is a performance oriented web framework. From version 5.51.5 to before version 5.55.7, an internal regex in the Svelte runtime can take exponential time to test in <svelte:element this={tag}></svelte:element>. This issue has been patched in version 5.55.7.
- risk 0.42cvss 7.5epss 0.00
multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event…
- risk 0.42cvss 7.5epss 0.00
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex…
- risk 0.42cvss 7.5epss 0.00
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers…
- risk 0.42cvss 7.5epss 0.00
Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when…
- risk 0.42cvss 7.5epss 0.00
Impact: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as `{a}{b}{c}:z`. The generated regex grows exponentially with the number of groups, causing denial of service. Patches: Fixed in version 8.4.0. …
- risk 0.42cvss 7.5epss 0.00
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously…