CWE-1333— Inefficient Regular Expression Complexity (ReDoS)
399 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1333page 8 of 8
- CVE-2025-5897MEDIUMCVSS 4.3EG 4.32025-06-09
A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. T…
- CVE-2025-6051MEDIUMCVSS 5.3EG 5.32025-09-14
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `normalize_numbers()` method of the `EnglishNormalizer` class. This vulnerability affects version…
- CVE-2025-6069MEDIUMCVSS 4.3EG 4.32025-06-17
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
- CVE-2025-61581HIGHCVSS 7.5EG 7.52025-10-16
** UNSUPPORTED WHEN ASSIGNED ** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Traffic Control: all versions. People with access to the management interface of the Traffic Rou…
- CVE-2025-61921HIGHCVSS 7.5EG 7.52025-10-10
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` me…
- CVE-2025-62484HIGHCVSS 8.1EG 8.12025-11-13
Inefficient regular expression complexity in certain Zoom Workplace Clients before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access.
- CVE-2025-6492MEDIUMCVSS 5.3EG 5.32025-06-22
A vulnerability has been found in MarkText up to 0.17.1 and classified as problematic. Affected by this vulnerability is the function getRecommendTitleFromMarkdownString of the file marktext/src/main/utils/index.js. The manipulation leads …
- CVE-2025-6493MEDIUMCVSS 5.3EG 5.32025-06-22
A weakness has been identified in CodeMirror up to 5.65.20. Affected is an unknown function of the file mode/markdown/markdown.js of the component Markdown Mode. This manipulation causes inefficient regular expression complexity. It is pos…
- CVE-2025-66020HIGHCVSS 7.5EG 7.52025-11-26
Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 …
- CVE-2025-6638HIGHCVSS 7.5EG 7.52025-09-12
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's `remove_language_code()` method. This vulnerability is present in version 4.…
- CVE-2025-68142MEDIUMCVSS 5.3EG 5.32025-12-16
PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user con…
- CVE-2025-68475HIGHCVSS 7.5EG 7.52025-12-22
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader.…
- CVE-2025-69873LOWCVSS 2.9EG 2.92026-02-11
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is …
- CVE-2025-6998HIGHCVSS 8.7EG 0.02025-07-24
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracki…
- CVE-2025-70030HIGHCVSS 7.5EG 7.52026-03-09
An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
- CVE-2025-7074MEDIUMCVSS 4.3EG 4.32025-07-05
A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expressi…
- CVE-2025-7579MEDIUMCVSS 4.3EG 4.32025-07-14
A vulnerability was found in chinese-poetry 0.1. It has been rated as problematic. This issue affects some unknown processing of the file rank/server.js. The manipulation leads to inefficient regular expression complexity. The attack may b…
- CVE-2025-8262MEDIUMCVSS 4.3EG 4.32025-07-28
A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficie…
- CVE-2025-9308LOWCVSS 3.3EG 3.32025-08-21
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to a…
- CVE-2025-9670MEDIUMCVSS 5.3EG 5.32025-08-29
A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to i…
- CVE-2026-0621HIGHCVSS 7.5EG 7.52026-01-05
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated re…
- CVE-2026-0668MEDIUMCVSS 5.3EG 5.32026-01-07
Inefficient Regular Expression Complexity vulnerability in Wikimedia Foundation MediaWiki - VisualData Extension allows Regular Expression Exponential Blowup.This issue affects MediaWiki - VisualData Extension: 1.45.
- CVE-2026-0967MEDIUMCVSS 5.5EG 2.22026-03-26
A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the `match_pattern()` function can lead to inefficient regular expression …
- CVE-2026-10291MEDIUMCVSS 4.3EG 4.32026-06-01
A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manip…
- CVE-2026-10691MEDIUMCVSS 4.3EG 4.32026-06-02
A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[…
- CVE-2026-10692MEDIUMCVSS 4.3EG 4.32026-06-02
A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argument regex can lead to inefficient regula…
- CVE-2026-21868HIGHCVSS 7.5EG 7.52026-01-08
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expre…
- CVE-2026-22691MEDIUMCVSS 5.3EG 5.32026-01-10
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for in…
- CVE-2026-22809MEDIUMCVSS 4.4EG 4.42026-01-13
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is…
- CVE-2026-2327MEDIUMCVSS 5.3EG 5.32026-02-12
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\*+$/ in the linkify function. An attacker can supply a long sequence of * charac…
- CVE-2026-23897HIGHCVSS 7.5EG 7.52026-02-04
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configurati…
- CVE-2026-23956HIGHCVSS 7.5EG 7.52026-01-22
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 0.2.0 through 1.4.0, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime me…
- CVE-2026-24001HIGHCVSS 7.5EG 7.52026-01-22
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `pars…
- CVE-2026-25547CRITICALCVSS 9.2EG 0.02026-02-04
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker pr…
- CVE-2026-26006MEDIUMCVSS 6.5EG 6.52026-02-10
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The autogpt before 0.6.32 is vulnerable to Regular Expression Denial of Service due to the use…
- CVE-2026-33079HIGHCVSS 8.7EG 8.72026-05-06
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expr…
- CVE-2026-34939MEDIUMCVSS 6.5EG 6.52026-04-03
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes ca…
- CVE-2026-35041MEDIUMCVSS 4.2EG 4.22026-04-09
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is at…
- CVE-2026-35213HIGHCVSS 7.5EG 7.52026-04-06
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Conte…
- CVE-2026-35458CRITICALCVSS 9.8EG 9.82026-04-07
Gotenberg is an API for converting document formats. In 8.29.1 and earlier, Gotenberg uses dlclark/regexp2 to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang wo…
- CVE-2026-35611HIGHCVSS 7.5EG 7.52026-04-07
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular…
- CVE-2026-39320HIGHCVSS 7.5EG 7.52026-04-21
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logi…
- CVE-2026-40319MEDIUMCVSS 5.5EG 5.52026-04-17
Giskard is an open-source testing framework for AI models. In versions prior to 1.0.2b1, the RegexMatching check passes a user-supplied regular expression pattern directly to Python's re.search() without any timeout or complexity guard. A …
- CVE-2026-41040HIGHCVSS 7.5EG 7.52026-04-23
GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.
- CVE-2026-44425MEDIUMCVSS 5.4EG 5.42026-05-13
ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter…
- CVE-2026-44796MEDIUMCVSS 6.5EG 6.52026-05-28
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via ma…
- CVE-2026-5986MEDIUMCVSS 5.3EG 5.32026-04-09
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It i…
- CVE-2026-8159HIGHCVSS 7.5EG 7.52026-05-12
multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching …
- CVE-2026-9496HIGHCVSS 7.5EG 7.52026-05-26
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s …
Map vulnerabilities like CWE-1333 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1333 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →