Total
387 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25881 | 1 Http-cache-semantics Project | 1 Http-cache-semantics | 2025-03-27 | N/A | 5.3 MEDIUM |
|
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
|
|||||
| CVE-2023-22792 | 1 Rubyonrails | 1 Rails | 2025-03-24 | N/A | 7.5 HIGH |
|
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
|
|||||
| CVE-2024-41766 | 3 Ibm, Linux, Microsoft | 3 Engineering Lifecycle Optimization Publishing, Linux Kernel, Windows | 2025-03-21 | N/A | 7.5 HIGH |
|
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.
|
|||||
| CVE-2023-6736 | 1 Gitlab | 1 Gitlab | 2025-03-20 | N/A | 6.5 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file.
|
|||||
| CVE-2020-6817 | 1 Mozilla | 1 Bleach | 2025-03-19 | N/A | 7.5 HIGH |
|
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).
|
|||||
| CVE-2024-48938 | 1 Znuny | 1 Znuny | 2025-03-14 | N/A | 7.5 HIGH |
|
Znuny before LTS 6.5.1 through 6.5.10 and 7.0.1 through 7.0.16 allows DoS/ReDos via email. Parsing the content of emails where HTML code is copied from Microsoft Word could lead to high CPU usage and block the parsing process.
|
|||||
| CVE-2025-27789 | 2025-03-11 | N/A | 6.2 MEDIUM | ||
|
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`). Generated code is vulnerable if all the following conditions are true: Using Babel to compile regular expression named capturing groups, usi ...
Show More |
|||||
| CVE-2023-26103 | 1 Deno | 1 Deno | 2025-03-11 | N/A | 5.3 MEDIUM |
|
Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server.
|
|||||
| CVE-2023-33289 | 1 Urlnorm Project | 1 Urlnorm | 2025-03-08 | N/A | 7.5 HIGH |
|
The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs. NOTE: the Supplier disputes this, taking the position that "Slow printing of URLs is not a CVE."
|
|||||
| CVE-2024-45338 | 2025-02-21 | N/A | 5.3 MEDIUM | ||
|
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
|
|||||
| CVE-2025-25289 | 2025-02-14 | N/A | 5.3 MEDIUM | ||
|
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server pe ...
Show More |
|||||
| CVE-2025-25288 | 2025-02-14 | N/A | 5.3 MEDIUM | ||
|
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
|
|||||
| CVE-2025-25285 | 2025-02-14 | N/A | 5.3 MEDIUM | ||
|
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch f ...
Show More |
|||||
| CVE-2024-26142 | 2 Ruby-lang, Rubyonrails | 2 Ruby, Rails | 2025-02-14 | N/A | 7.5 HIGH |
|
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
|
|||||
| CVE-2024-26146 | 2 Debian, Rack | 2 Debian Linux, Rack | 2025-02-14 | N/A | 5.3 MEDIUM |
|
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
|
|||||
| CVE-2024-25126 | 2 Debian, Rack | 2 Debian Linux, Rack | 2025-02-14 | N/A | 5.3 MEDIUM |
|
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
|
|||||
| CVE-2023-26115 | 1 Word-wrap Project | 1 Word-wrap | 2025-02-13 | N/A | 5.3 MEDIUM |
|
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
|
|||||
| CVE-2023-26112 | 1 Configobj Project | 1 Configobj | 2025-02-13 | N/A | 3.7 LOW |
|
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\).
**Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.
|
|||||
| CVE-2022-25901 | 1 Cookiejar Project | 1 Cookiejar | 2025-02-13 | N/A | 5.3 MEDIUM |
|
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
|
|||||
| CVE-2022-44571 | 1 Rack | 1 Rack | 2025-02-13 | N/A | 7.5 HIGH |
|
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
|
|||||
| CVE-2022-44572 | 1 Rack | 1 Rack | 2025-02-13 | N/A | 7.5 HIGH |
|
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
|
|||||
| CVE-2022-44570 | 1 Rack | 1 Rack | 2025-02-13 | N/A | 7.5 HIGH |
|
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
|
|||||
| CVE-2025-25283 | 2025-02-12 | N/A | 7.5 HIGH | ||
|
parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains ...
Show More |
|||||
| CVE-2023-27704 | 1 Voidtools | 1 Everything | 2025-02-10 | N/A | 5.5 MEDIUM |
|
Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS).
|
|||||
| CVE-2024-27088 | 1 Medikoo | 1 Es5-ext | 2025-02-05 | N/A | N/A |
|
es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.
|
|||||
| CVE-2022-42964 | 1 Materialsvirtuallab | 1 Pymatgen | 2025-02-04 | N/A | 5.9 MEDIUM |
|
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method
|
|||||
| CVE-2024-36751 | 2025-02-03 | N/A | 6.5 MEDIUM | ||
|
An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.
|
|||||
| CVE-2024-54157 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
|
|||||
| CVE-2025-0367 | 2025-01-30 | N/A | 6.5 MEDIUM | ||
|
In versions 3.1.0 and lower of the Splunk Supporting Add-on for Active Directory, also known as SA-ldapsearch, a vulnerable regular expression pattern could lead to a Regular Expression Denial of Service (ReDoS) attack.
|
|||||
| CVE-2024-4148 | 1 Lunary | 1 Lunary | 2025-01-30 | N/A | 7.5 HIGH |
|
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the application and potentially render it completely non-functional. Specifically, the vulnerability can be triggered by sending a specially crafted request to the application, leading to a denial of service where the application crash ...
Show More |
|||||
| CVE-2023-1894 | 1 Puppet | 2 Puppet Enterprise, Puppet Server | 2025-01-29 | N/A | 5.3 MEDIUM |
|
A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate validation. An issue related to specifically crafted certificate names significantly slowed down server operations.
|
|||||
| CVE-2024-52798 | 2025-01-24 | N/A | N/A | ||
|
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path-to-regexp. Upgrade to 0.1.12. This vulnerability exists because of an incomplete fix for CVE-2024-45296.
|
|||||
| CVE-2024-45296 | 2025-01-24 | N/A | 7.5 HIGH | ||
|
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1 ...
Show More |
|||||
| CVE-2023-32758 | 2 Coala, Semgrep | 2 Git-url-parse, Semgrep | 2025-01-23 | N/A | 7.5 HIGH |
|
giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package's author placed a ReDoS attack payload in a URL used by the package.
|
|||||
| CVE-2023-51931 | 1 Alanclarke | 1 Urlite | 2025-01-13 | N/A | 7.5 HIGH |
|
An issue in alanclarke URLite v.3.1.0 allows an attacker to cause a denial of service (DoS) via a crafted payload to the parsing function.
|
|||||
| CVE-2024-1892 | 1 Scrapy | 1 Scrapy | 2025-01-10 | N/A | 6.5 MEDIUM |
|
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing ...
Show More |
|||||
| CVE-2023-2132 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 7.5 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint.
|
|||||
| CVE-2024-46242 | 2025-01-07 | N/A | 7.5 HIGH | ||
|
An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.
|
|||||
| CVE-2023-2199 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 7.5 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
|
|||||
| CVE-2023-2198 | 1 Gitlab | 1 Gitlab | 2025-01-07 | N/A | 7.5 HIGH |
|
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint.
|
|||||