CWE-1333— Inefficient Regular Expression Complexity (ReDoS)
399 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1333page 4 of 8
- CVE-2022-44570HIGHCVSS 7.5EG 7.52023-02-09
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial o…
- CVE-2022-44571HIGHCVSS 7.5EG 7.52023-02-09
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in…
- CVE-2022-44572HIGHCVSS 7.5EG 7.52023-02-09
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpect…
- CVE-2022-4891LOWCVSS 3.5EG 3.52023-01-17
A vulnerability has been found in Sisimai up to 4.25.14p11 and classified as problematic. This vulnerability affects the function to_plain of the file lib/sisimai/string.rb. The manipulation leads to inefficient regular expression complexi…
- CVE-2023-0632MEDIUMCVSS 6.5EG 6.52023-08-02
An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possib…
- CVE-2023-0881HIGHCVSS 7.5EG 7.52025-03-31
Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces t…
- CVE-2023-1894MEDIUMCVSS 5.3EG 5.32023-05-04
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
- CVE-2023-2132HIGHCVSS 7.5EG 7.52023-06-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expressio…
- CVE-2023-2198HIGHCVSS 7.5EG 7.52023-06-07
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service wa…
- CVE-2023-2199HIGHCVSS 7.5EG 7.52023-06-07
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service w…
- CVE-2023-2232MEDIUMCVSS 6.5EG 6.52023-06-28
An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix
- CVE-2023-22467HIGHCVSS 7.5EG 7.52023-01-04
Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specif…
- CVE-2023-22792HIGHCVSS 7.5EG 7.52023-02-09
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a…
- CVE-2023-22795HIGHCVSS 7.5EG 7.52023-02-09
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastroph…
- CVE-2023-22796HIGHCVSS 7.5EG 7.52023-02-09
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This ca…
- CVE-2023-22799HIGHCVSS 7.5EG 7.52023-02-09
A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release sh…
- CVE-2023-23621HIGHCVSS 8.6EG 8.62023-01-28
Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a car…
- CVE-2023-23925HIGHCVSS 8.6EG 8.62023-02-03
Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regular ex…
- CVE-2023-24038HIGHCVSS 7.5EG 7.52023-01-21
The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes.
- CVE-2023-24807HIGHCVSS 7.5EG 7.52023-02-16
Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the function…
- CVE-2023-25166MEDIUMCVSS 5.5EG 5.52023-02-08
formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known w…
- CVE-2023-25167MEDIUMCVSS 6.5EG 6.52023-02-08
Discourse is an open source discussion platform. In affected versions a malicious user can cause a regular expression denial of service using a carefully crafted git URL. This issue is patched in the latest stable, beta and tests-passed ve…
- CVE-2023-26103MEDIUMCVSS 5.3EG 5.32023-02-25
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header…
- CVE-2023-26112LOWCVSS 3.7EG 3.72023-04-03
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending valu…
- CVE-2023-26115MEDIUMCVSS 5.3EG 5.32023-06-22
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
- CVE-2023-26116MEDIUMCVSS 5.3EG 5.32023-03-30
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possibl…
- CVE-2023-26117MEDIUMCVSS 5.3EG 5.32023-03-30
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large ca…
- CVE-2023-26118MEDIUMCVSS 5.3EG 5.32023-03-30
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting thi…
- CVE-2023-27704MEDIUMCVSS 5.5EG 5.52023-04-12
Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).
- CVE-2023-28755MEDIUMCVSS 5.3EG 5.32023-03-31
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The f…
- CVE-2023-28756MEDIUMCVSS 5.3EG 5.32023-03-31
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The…
- CVE-2023-29486CRITICALCVSS 9.8EG 9.82023-12-21
An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component. NOTE: …
- CVE-2023-29487CRITICALCVSS 9.1EG 9.12023-12-21
An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module. NOTE: Hei…
- CVE-2023-30608MEDIUMCVSS 5.5EG 5.52023-04-18
sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`.…
- CVE-2023-30858MEDIUMCVSS 5.3EG 5.32023-04-28
The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has…
- CVE-2023-31606HIGHCVSS 7.5EG 7.52023-06-06
A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
- CVE-2023-3205MEDIUMCVSS 6.5EG 6.52023-09-01
An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of …
- CVE-2023-3210MEDIUMCVSS 6.5EG 6.52023-09-01
An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of …
- CVE-2023-32610HIGHCVSS 7.5EG 7.52023-06-29
Mailform Pro CGI 4.3.1.2 and earlier allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition.
- CVE-2023-32758HIGHCVSS 7.5EG 7.52023-05-15
giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted pa…
- CVE-2023-33289HIGHCVSS 7.5EG 7.52023-06-21
The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs. NOTE: the Supplier disputes this, taking the position that "Slow printing of URLs is not a CVE."
- CVE-2023-33290HIGHCVSS 7.5EG 7.52023-06-12
The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python).
- CVE-2023-3364HIGHCVSS 7.5EG 7.52023-08-02
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was …
- CVE-2023-33950MEDIUMCVSS 6.5EG 6.52023-05-24
Pattern Redirects in Liferay Portal 7.4.3.48 through 7.4.3.76, and Liferay DXP 7.4 update 48 through 76 allows regular expressions that are vulnerable to ReDoS attacks to be used as patterns, which allows remote attackers to consume an exc…
- CVE-2023-34104HIGHCVSS 7.5EG 7.52023-06-06
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing en…
- CVE-2023-3424HIGHCVSS 7.5EG 7.52023-07-13
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service wa…
- CVE-2023-3446MEDIUMCVSS 5.3EG 5.32023-07-19
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience lon…
- CVE-2023-36053HIGHCVSS 7.5EG 7.52023-07-03
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and …
- CVE-2023-36543MEDIUMCVSS 6.5EG 6.52023-07-12
Apache Airflow, versions before 2.6.3, has a vulnerability where an authenticated user can use crafted input to make the current request hang. It is recommended to upgrade to a version that is not affected
- CVE-2023-36617MEDIUMCVSS 5.3EG 5.32023-06-29
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.r…
Map vulnerabilities like CWE-1333 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1333 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →