VYPR

CWE-1333

Inefficient Regular Expression Complexity

BaseDraftLikelihood: High

Description

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-492

CVEs mapped to this weakness (332)

page 3 of 17
  • CVE-2026-23956HigJan 22, 2026
    risk 0.42cvss 7.5epss 0.00

    seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization.…

  • CVE-2025-66020HigNov 26, 2025
    risk 0.42cvss 7.5epss 0.00

    Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine…

  • CVE-2025-25283HigFeb 12, 2025
    risk 0.42cvss 7.5epss 0.01

    parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a…

  • CVE-2025-0367MedJan 30, 2025
    risk 0.42cvss 6.5epss 0.00

    In versions 3.1.0 and lower of the Splunk Supporting Add-on for Active Directory, also known as SA-ldapsearch, a vulnerable regular expression pattern could lead to a Regular Expression Denial of Service (ReDoS) attack.

  • CVE-2024-36751MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.01

    An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

  • CVE-2024-21539HigNov 19, 2024
    risk 0.42cvss 7.5epss 0.00

    Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability.

  • CVE-2024-21538HigNov 8, 2024
    risk 0.42cvss 7.5epss 0.01

    Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted…

  • CVE-2024-45296HigSep 9, 2024
    risk 0.42cvss 7.5epss 0.01

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance…

  • CVE-2024-41655HigJul 23, 2024
    risk 0.42cvss 7.5epss 0.01

    TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be…

  • CVE-2017-16021MedJun 4, 2018
    risk 0.42cvss 6.5epss 0.01

    uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU…

  • CVE-2015-8855HigJan 23, 2017
    risk 0.42cvss 7.5epss 0.06

    The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)."

  • CVE-2016-2515HigApr 13, 2016
    risk 0.42cvss 7.5epss 0.03

    Hawk before 3.1.3 and 4.x before 4.1.1 allow remote attackers to cause a denial of service (CPU consumption or partial outage) via a long (1) header or (2) URI that is matched against an improper regular expression.

  • CVE-2016-2537HigFeb 23, 2016
    risk 0.42cvss 7.5epss 0.02

    The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

  • CVE-2026-54268higJun 15, 2026
    risk 0.39cvss epss 0.00

    A Denial of Service (DoS) vulnerability exists in the `@angular/common` package of the Angular framework. The `formatDate` function, which is also utilized by the standard Angular `DatePipe`, does not properly limit or validate the length of the `format` parameter. When…

  • CVE-2014-5244higMay 30, 2024
    risk 0.39cvss epss 0.02

    All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not…

  • CVE-2026-55470higJun 17, 2026
    risk 0.38cvss epss

    ## Summary The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still…

  • CVE-2026-45617higMay 27, 2026
    risk 0.38cvss epss 0.00

    ## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the…

  • CVE-2026-45367higMay 18, 2026
    risk 0.38cvss epss 0.00

    ## Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's…

  • CVE-2024-52524MedNov 14, 2024
    risk 0.38cvss epss 0.01

    Giskard is an evaluation and testing framework for AI systems. A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. When processing datasets with specific text patterns with Giskard detectors, this vulnerability could…

  • CVE-2025-2811MedApr 26, 2025
    risk 0.37cvss 5.7epss 0.00

    A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango,…