VYPR

CWE-1333

Inefficient Regular Expression Complexity

BaseDraftLikelihood: High

Description

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-492

CVEs mapped to this weakness (332)

page 5 of 17
  • CVE-2025-7074MedJul 5, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to…

  • CVE-2025-5892MedJun 9, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability, which was classified as problematic, has been found in RocketChat up to 7.6.1. This issue affects the function parseMessage of the file /apps/meteor/app/irc/server/servers/RFC2813/parseMessage.js. The manipulation of the argument line leads to inefficient…

  • CVE-2025-5890MedJun 9, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability classified as problematic has been found in actions toolkit 0.5.0. This affects the function globEscape of the file toolkit/packages/glob/src/internal-pattern.ts of the component glob. The manipulation leads to inefficient regular expression complexity. It is…

  • CVE-2025-25290MedFeb 14, 2025
    risk 0.28cvss 5.3epss 0.01

    @octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP…

  • CVE-2024-38809MedSep 27, 2024
    risk 0.28cvss 5.3epss 0.01

    Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and…

  • CVE-2024-45813MedSep 18, 2024
    risk 0.28cvss 5.3epss 0.01

    find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a…

  • CVE-2024-21503MedMar 19, 2024
    risk 0.28cvss 5.3epss 0.01

    Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of…

  • CVE-2016-1000232MedSep 5, 2018
    risk 0.28cvss 5.3epss 0.02

    NodeJS Tough-Cookie version 2.2.2 contains a Regular Expression Parsing vulnerability in HTTP request Cookie Header parsing that can result in Denial of Service. This attack appear to be exploitable via Custom HTTP header passed by client. This vulnerability appears to have been…

  • CVE-2026-45409MedJun 5, 2026
    risk 0.27cvss 5.3epss 0.00

    Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize…

  • CVE-2025-55152MedAug 9, 2025
    risk 0.27cvss 5.3epss 0.00

    oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or…

  • CVE-2025-25289MedFeb 14, 2025
    risk 0.27cvss 5.3epss 0.01

    @octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing…

  • CVE-2025-25288MedFeb 14, 2025
    risk 0.27cvss 5.3epss 0.01

    @octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit`…

  • CVE-2025-25285MedFeb 14, 2025
    risk 0.27cvss 5.3epss 0.01

    @octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service…

  • CVE-2024-45338MedDec 18, 2024
    risk 0.27cvss 5.3epss 0.01

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2026-41848LowJun 9, 2026
    risk 0.24cvss 3.7epss 0.00

    Applications may be vulnerable to a Regular Expression Denial of Service (ReDoS) attack if an attacker is able to provide a pattern which is then directly or indirectly supplied to one of the following methods in AntPathMatcher: match(String pattern, String path),…

  • CVE-2024-9506LowOct 15, 2024
    risk 0.24cvss 3.7epss 0.01

    Improper regular expression in Vue's parseHTML function leads to a potential regular expression denial of service vulnerability.

  • CVE-2026-11478LowJun 8, 2026
    risk 0.21cvss 3.3epss 0.00

    A flaw has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. The attack is…

  • CVE-2026-10692MedJun 3, 2026
    risk 0.21cvss 4.3epss 0.00

    A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible…

  • CVE-2026-10691MedJun 3, 2026
    risk 0.21cvss 4.3epss 0.00

    A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular…

  • CVE-2026-10291MedJun 1, 2026
    risk 0.21cvss 4.3epss 0.00

    A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern…