CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-492
CVEs mapped to this weakness (332)
page 8 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-45143 | — | 0.00 | — | 0.00 | Jun 30, 2025 | string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input. | ||
| CVE-2025-5897 | 0.00 | — | 0.01 | Jun 9, 2025 | A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient… | |||
| CVE-2025-5896 | 0.00 | — | 0.01 | Jun 9, 2025 | A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be… | |||
| CVE-2025-48887 | 0.00 | — | 0.00 | May 30, 2025 | vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the… | |||
| CVE-2018-25110 | 0.00 | — | 0.00 | May 23, 2025 | Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially… | |||
| CVE-2025-2099 | — | 0.00 | — | 0.01 | May 19, 2025 | A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings… | ||
| CVE-2025-46560 | 0.00 | — | 0.00 | Apr 30, 2025 | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces… | |||
| CVE-2025-1194 | — | 0.00 | — | 0.00 | Apr 29, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where… | ||
| CVE-2025-2792 | low | 0.00 | — | 0.01 | Mar 26, 2025 | Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service. Additional Details are [available at Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1948833) Credit: DayShift | ||
| CVE-2024-10549 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple… | |||
| CVE-2024-12720 | — | 0.00 | — | 0.01 | Mar 20, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes… | ||
| CVE-2024-10624 | 0.00 | — | 0.01 | Mar 20, 2025 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression… | |||
| CVE-2024-10550 | 0.00 | — | 0.01 | Mar 20, 2025 | A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular… | |||
| CVE-2025-27220 | 0.00 | — | 0.01 | Mar 3, 2025 | In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. | |||
| CVE-2025-25200 | 0.00 | — | 0.01 | Feb 12, 2025 | Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service… | |||
| CVE-2024-49761 | — | 0.00 | — | 0.01 | Oct 28, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected… | ||
| CVE-2020-26311 | — | 0.00 | — | 0.00 | Oct 26, 2024 | Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available. | ||
| CVE-2020-26308 | — | 0.00 | — | 0.00 | Oct 26, 2024 | Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available. | ||
| CVE-2020-26305 | — | 0.00 | — | 0.00 | Oct 26, 2024 | CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available. | ||
| CVE-2020-26304 | 0.00 | — | 0.01 | Oct 26, 2024 | Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available. |
- CVE-2025-45143Jun 30, 2025risk 0.00cvss —epss 0.00
string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.
- CVE-2025-5897Jun 9, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient…
- CVE-2025-5896Jun 9, 2025risk 0.00cvss —epss 0.01
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be…
- CVE-2025-48887May 30, 2025risk 0.00cvss —epss 0.00
vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDoS) vulnerability in the file `vllm/entrypoints/openai/tool_parsers/pythonic_tool_parser.py` of versions 0.6.4 up to but excluding 0.9.0. The root cause is the…
- CVE-2018-25110May 23, 2025risk 0.00cvss —epss 0.00
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially…
- CVE-2025-2099May 19, 2025risk 0.00cvss —epss 0.01
A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings…
- CVE-2025-46560Apr 30, 2025risk 0.00cvss —epss 0.00
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces…
- CVE-2025-1194Apr 29, 2025risk 0.00cvss —epss 0.00
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `tokenization_gpt_neox_japanese.py` of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where…
- risk 0.00cvss —epss 0.01
Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service. Additional Details are [available at Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1948833) Credit: DayShift
- CVE-2024-10549Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple…
- CVE-2024-12720Mar 20, 2025risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes…
- CVE-2024-10624Mar 20, 2025risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression…
- CVE-2024-10550Mar 20, 2025risk 0.00cvss —epss 0.01
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular…
- CVE-2025-27220Mar 3, 2025risk 0.00cvss —epss 0.01
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
- CVE-2025-25200Feb 12, 2025risk 0.00cvss —epss 0.01
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service…
- CVE-2024-49761Oct 28, 2024risk 0.00cvss —epss 0.01
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected…
- CVE-2020-26311Oct 26, 2024risk 0.00cvss —epss 0.00
Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are available.
- CVE-2020-26308Oct 26, 2024risk 0.00cvss —epss 0.00
Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
- CVE-2020-26305Oct 26, 2024risk 0.00cvss —epss 0.00
CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
- CVE-2020-26304Oct 26, 2024risk 0.00cvss —epss 0.01
Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.