CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-492
CVEs mapped to this weakness (332)
page 3 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-23956 | Hig | 0.42 | 7.5 | 0.00 | Jan 22, 2026 | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization.… | ||
| CVE-2025-66020 | Hig | 0.42 | 7.5 | 0.00 | Nov 26, 2025 | Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine… | ||
| CVE-2025-25283 | — | Hig | 0.42 | 7.5 | 0.01 | Feb 12, 2025 | parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a… | |
| CVE-2025-0367 | Med | 0.42 | 6.5 | 0.00 | Jan 30, 2025 | In versions 3.1.0 and lower of the Splunk Supporting Add-on for Active Directory, also known as SA-ldapsearch, a vulnerable regular expression pattern could lead to a Regular Expression Denial of Service (ReDoS) attack. | ||
| CVE-2024-36751 | — | Med | 0.42 | 6.5 | 0.01 | Jan 15, 2025 | An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. | |
| CVE-2024-21539 | Hig | 0.42 | 7.5 | 0.00 | Nov 19, 2024 | Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability. | ||
| CVE-2024-21538 | Hig | 0.42 | 7.5 | 0.01 | Nov 8, 2024 | Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted… | ||
| CVE-2024-45296 | Hig | 0.42 | 7.5 | 0.01 | Sep 9, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance… | ||
| CVE-2024-41655 | Hig | 0.42 | 7.5 | 0.01 | Jul 23, 2024 | TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be… | ||
| CVE-2017-16021 | Med | 0.42 | 6.5 | 0.01 | Jun 4, 2018 | uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU… | ||
| CVE-2015-8855 | Hig | 0.42 | 7.5 | 0.06 | Jan 23, 2017 | The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | ||
| CVE-2016-2515 | Hig | 0.42 | 7.5 | 0.03 | Apr 13, 2016 | Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression. | ||
| CVE-2016-2537 | Hig | 0.42 | 7.5 | 0.02 | Feb 23, 2016 | The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string. | ||
| CVE-2026-54268 | hig | 0.39 | — | 0.00 | Jun 15, 2026 | A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When… | ||
| CVE-2014-5244 | hig | 0.39 | — | 0.02 | May 30, 2024 | All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not… | ||
| CVE-2026-55470 | hig | 0.38 | — | — | Jun 17, 2026 | ## Summary The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still… | ||
| CVE-2026-45617 | hig | 0.38 | — | 0.00 | May 27, 2026 | ## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the… | ||
| CVE-2026-45367 | hig | 0.38 | — | 0.00 | May 18, 2026 | ## Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's… | ||
| CVE-2024-52524 | Med | 0.38 | — | 0.01 | Nov 14, 2024 | Giskard is an evaluation and testing framework for AI systems. A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could… | ||
| CVE-2025-2811 | Med | 0.37 | 5.7 | 0.00 | Apr 26, 2025 | A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango,… |
- risk 0.42cvss 7.5epss 0.00
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization.…
- risk 0.42cvss 7.5epss 0.00
Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine…
- risk 0.42cvss 7.5epss 0.01
parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a…
- risk 0.42cvss 6.5epss 0.00
In versions 3.1.0 and lower of the Splunk Supporting Add-on for Active Directory, also known as SA-ldapsearch, a vulnerable regular expression pattern could lead to a Regular Expression Denial of Service (ReDoS) attack.
- risk 0.42cvss 6.5epss 0.01
An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.
- risk 0.42cvss 7.5epss 0.00
Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability.
- risk 0.42cvss 7.5epss 0.01
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted…
- risk 0.42cvss 7.5epss 0.01
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance…
- risk 0.42cvss 7.5epss 0.01
TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be…
- risk 0.42cvss 6.5epss 0.01
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU…
- risk 0.42cvss 7.5epss 0.06
The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."
- risk 0.42cvss 7.5epss 0.03
Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.
- risk 0.42cvss 7.5epss 0.02
The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.
- risk 0.39cvss —epss 0.00
A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When…
- risk 0.39cvss —epss 0.02
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…
- risk 0.38cvss —epss —
## Summary The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still…
- risk 0.38cvss —epss 0.00
## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the…
- risk 0.38cvss —epss 0.00
## Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's…
- risk 0.38cvss —epss 0.01
Giskard is an evaluation and testing framework for AI systems. A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could…
- risk 0.37cvss 5.7epss 0.00
A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango,…