Total
309 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8998 | 1 Lunary | 1 Lunary | 2025-04-04 | 7.5 High |
| A Regular Expression Denial of Service (ReDoS) vulnerability exists in lunary-ai/lunary version git f07a845. The server uses the regex /{.*?}/ to match user-controlled strings. In the default JavaScript regex engine, this regex can take polynomial time to match certain crafted user inputs. As a result, an attacker can cause the server to hang for an arbitrary amount of time by submitting a specially crafted payload. This issue is fixed in version 1.4.26. | ||||
| CVE-2022-25901 | 1 Cookiejar Project | 1 Cookiejar | 2025-04-03 | 5.3 Medium |
| Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression. | ||||
| CVE-2023-24038 | 2 Debian, Html-stripscripts Project | 2 Debian Linux, Html-stripscripts | 2025-04-02 | 7.5 High |
| The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes. | ||||
| CVE-2022-25927 | 2 Redhat, Ua-parser-js Project | 2 Rhmt, Ua-parser-js | 2025-04-01 | 5.3 Medium |
| Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function. | ||||
| CVE-2025-2833 | 1 Zhyd | 1 Oneblog | 2025-04-01 | 5.3 Medium |
| A vulnerability was found in zhangyd-c OneBlog up to 2.3.9. It has been classified as problematic. Affected is an unknown function of the component HTTP Header Handler. The manipulation of the argument X-Forwarded-For leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2022-25881 | 2 Http-cache-semantics Project, Redhat | 8 Http-cache-semantics, Acm, Enterprise Linux and 5 more | 2025-03-27 | 5.3 Medium |
| This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. | ||||
| CVE-2023-22792 | 2 Redhat, Rubyonrails | 2 Satellite, Rails | 2025-03-24 | 7.5 High |
| A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | ||||
| CVE-2020-36661 | 1 Konghq | 1 Multipart | 2025-03-24 | 3.5 Low |
| A vulnerability was found in Kong lua-multipart 0.5.8-1. It has been declared as problematic. This vulnerability affects the function is_header of the file src/multipart.lua. The manipulation leads to inefficient regular expression complexity. Upgrading to version 0.5.9-1 is able to address this issue. The patch is identified as d632e5df43a2928fd537784a99a79dec288bf01b. It is recommended to upgrade the affected component. VDB-220642 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-49761 | 4 Netapp, Redhat, Ruby and 1 more | 9 Ontap Tools, Enterprise Linux, Rhel Aus and 6 more | 2025-03-21 | 7.5 High |
| REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability. | ||||
| CVE-2024-41766 | 3 Ibm, Linux, Microsoft | 4 Engineering Lifecycle Optimization - Publishing, Engineering Lifecycle Optimization Publishing, Linux Kernel and 1 more | 2025-03-21 | 7.5 High |
| IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression. | ||||
| CVE-2024-10550 | 2025-03-20 | N/A | ||
| A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a user-specified regular expression to a user-controllable string. This can be exploited by an attacker to cause inefficient regular expression complexity, leading to the exhaustion of server resources and making the server unresponsive. | ||||
| CVE-2024-6232 | 2 Python, Redhat | 8 Cpython, Python, Enterprise Linux and 5 more | 2025-03-20 | 7.5 High |
| There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. | ||||
| CVE-2023-6736 | 1 Gitlab | 1 Gitlab | 2025-03-20 | 6.5 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file. | ||||
| CVE-2024-12720 | 2025-03-20 | N/A | ||
| A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3 (latest). | ||||
| CVE-2025-26042 | 2025-03-19 | 6 Medium | ||
| Uptime Kuma >== 1.23.0 has a ReDoS vulnerability, specifically when an administrator creates a notification through the web service. If a string is provided it triggers catastrophic backtracking in the regular expression, leading to a ReDoS attack. | ||||
| CVE-2020-6817 | 1 Mozilla | 1 Bleach | 2025-03-19 | 7.5 High |
| bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). | ||||
| CVE-2024-48938 | 1 Znuny | 1 Znuny | 2025-03-14 | 7.5 High |
| Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process. | ||||
| CVE-2025-27789 | 2025-03-11 | 6.2 Medium | ||
| Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, using the `.replace` method on a regular expression that contains named capturing groups, and the code using untrusted strings as the second argument of `.replace`. This problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17. It's likely that individual users do not directly depend on `@babel/helpers`, and instead depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees use of a new enough `@babel/helpers` version. Note that just updating Babel dependencies is not enough; one will also need to re-compile the code. No known workarounds are available. | ||||
| CVE-2023-26103 | 1 Deno | 1 Deno | 2025-03-11 | 5.3 Medium |
| Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. | ||||
| CVE-2021-32821 | 1 Mootools | 1 Mootools | 2025-03-10 | 6.2 Medium |
| MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite common with e.g. jQuery CSS selectors. No patches are available for this issue. | ||||