CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-492
CVEs mapped to this weakness (332)
page 9 of 17| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-26303 | — | 0.00 | — | 0.01 | Oct 26, 2024 | insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available. | ||
| CVE-2024-9277 | 0.00 | — | 0.01 | Sep 27, 2024 | A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument… | |||
| CVE-2024-45801 | 0.00 | — | 0.01 | Sep 16, 2024 | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype… | |||
| CVE-2020-36830 | 0.00 | — | 0.01 | Sep 2, 2024 | A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expression complexity. The attack may be… | |||
| CVE-2024-41991 | 0.00 | — | 0.01 | Aug 7, 2024 | An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. | |||
| CVE-2024-41818 | 0.00 | — | 0.01 | Jul 29, 2024 | fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1. | |||
| CVE-2024-39317 | 0.00 | — | 0.01 | Jul 11, 2024 | Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string`… | |||
| CVE-2024-3651 | 0.00 | — | 0.01 | Jul 7, 2024 | A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service… | |||
| CVE-2024-39316 | 0.00 | — | 0.01 | Jul 2, 2024 | Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an… | |||
| CVE-2024-4067 | 0.00 | — | 0.01 | May 13, 2024 | The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching… | |||
| CVE-2024-22640 | — | 0.00 | — | 0.01 | Apr 19, 2024 | TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color. | ||
| CVE-2024-3772 | 0.00 | — | 0.01 | Apr 15, 2024 | Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string. | |||
| CVE-2024-28865 | 0.00 | — | 0.01 | Mar 18, 2024 | django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close… | |||
| CVE-2024-28864 | 0.00 | — | 0.00 | Mar 18, 2024 | SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data… | |||
| CVE-2024-27351 | 0.00 | — | 0.02 | Mar 15, 2024 | In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE:… | |||
| CVE-2024-25126 | 0.00 | — | 0.35 | Feb 28, 2024 | Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in… | |||
| CVE-2024-26146 | 0.00 | — | 0.02 | Feb 28, 2024 | Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack… | |||
| CVE-2024-1892 | 0.00 | — | 0.01 | Feb 28, 2024 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing… | |||
| CVE-2024-26142 | 0.00 | — | 0.01 | Feb 27, 2024 | Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using… | |||
| CVE-2024-27088 | — | 0.00 | — | 0.01 | Feb 26, 2024 | es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63. |
- CVE-2020-26303Oct 26, 2024risk 0.00cvss —epss 0.01
insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
- CVE-2024-9277Sep 27, 2024risk 0.00cvss —epss 0.01
A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument…
- CVE-2024-45801Sep 16, 2024risk 0.00cvss —epss 0.01
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype…
- CVE-2020-36830Sep 2, 2024risk 0.00cvss —epss 0.01
A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expression complexity. The attack may be…
- CVE-2024-41991Aug 7, 2024risk 0.00cvss —epss 0.01
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.
- CVE-2024-41818Jul 29, 2024risk 0.00cvss —epss 0.01
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
- CVE-2024-39317Jul 11, 2024risk 0.00cvss —epss 0.01
Wagtail is an open source content management system built on Django. A bug in Wagtail's `parse_query_string` would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, `parse_query_string`…
- CVE-2024-3651Jul 7, 2024risk 0.00cvss —epss 0.01
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service…
- CVE-2024-39316Jul 2, 2024risk 0.00cvss —epss 0.01
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an…
- CVE-2024-4067May 13, 2024risk 0.00cvss —epss 0.01
The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching…
- CVE-2024-22640Apr 19, 2024risk 0.00cvss —epss 0.01
TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color.
- CVE-2024-3772Apr 15, 2024risk 0.00cvss —epss 0.01
Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.
- CVE-2024-28865Mar 18, 2024risk 0.00cvss —epss 0.01
django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close…
- CVE-2024-28864Mar 18, 2024risk 0.00cvss —epss 0.00
SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data…
- CVE-2024-27351Mar 15, 2024risk 0.00cvss —epss 0.02
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE:…
- CVE-2024-25126Feb 28, 2024risk 0.00cvss —epss 0.35
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in…
- CVE-2024-26146Feb 28, 2024risk 0.00cvss —epss 0.02
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack…
- CVE-2024-1892Feb 28, 2024risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing…
- CVE-2024-26142Feb 27, 2024risk 0.00cvss —epss 0.01
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using…
- CVE-2024-27088Feb 26, 2024risk 0.00cvss —epss 0.01
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.