CWE-1333— Inefficient Regular Expression Complexity (ReDoS)
284 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1333page 1 of 6
- CVE-2015-10005LOWCVSS 3.5EG 3.52022-12-27
A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to…
- CVE-2017-16021MEDIUMCVSS 6.52018-06-04
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. Thi…
- CVE-2017-20162MEDIUMCVSS 4.3EG 4.32023-01-05
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexit…
- CVE-2017-20165LOWCVSS 3.5EG 3.52023-01-09
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. U…
- CVE-2018-25049LOWCVSS 3.0EG 7.52022-12-27
A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the…
- CVE-2018-25061MEDIUMCVSS 4.3EG 4.32022-12-31
A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgr…
- CVE-2018-25074LOWCVSS 3.5EG 3.52023-01-11
A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity…
- CVE-2018-25077LOWCVSS 3.5EG 3.52023-01-18
A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/spintax.js. The manipulation of the argument text leads to inefficient regular expres…
- CVE-2018-25079MEDIUMCVSS 4.3EG 4.32023-02-04
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. Th…
- CVE-2019-12041HIGHCVSS 7.52019-05-13
lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section.
- CVE-2019-16215MEDIUMCVSS 6.5EG 6.52019-09-18
The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amoun…
- CVE-2019-25102MEDIUMCVSS 4.3EG 4.32023-02-12
A vulnerability, which was classified as problematic, was found in simple-markdown 0.6.0. Affected is an unknown function of the file simple-markdown.js. The manipulation with the input <<<<<<<<<<:/:/:/:/:/:/:/:/:/:/ leads to inefficient r…
- CVE-2019-25103MEDIUMCVSS 4.3EG 4.32023-02-12
A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file simple-markdown.js. The manipulation leads to inefficient regular expression comp…
- CVE-2020-1920HIGHCVSS 7.5EG 7.52021-06-01
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed …
- CVE-2020-26302HIGHCVSS 7.5EG 7.52022-12-22
is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Tr…
- CVE-2020-26303HIGHCVSS 7.5EG 7.52024-10-26
insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.
- CVE-2020-26304HIGHCVSS 7.5EG 7.52024-10-26
Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.
- CVE-2020-26305HIGHCVSS 7.5EG 7.52024-10-26
CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are availab…
- CVE-2020-26306HIGHCVSS 8.7EG 0.02024-10-26
Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Servic…
- CVE-2020-26307HIGHCVSS 8.7EG 0.02024-10-26
HTML2Markdown is a Javascript implementation for converting HTML to Markdown text. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publicatio…
- CVE-2020-26308HIGHCVSS 7.5EG 7.52024-10-26
Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no k…
- CVE-2020-26309HIGHCVSS 8.7EG 0.02024-10-26
Validate.js provides a declarative way of validating javascript objects. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it i…
- CVE-2020-26310HIGHCVSS 8.7EG 0.02024-10-26
Validate.js provides a declarative way of validating javascript objects. All versions as of 30 November 2020 contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publica…
- CVE-2020-26311HIGHCVSS 7.5EG 7.52024-10-26
Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no patches are ava…
- CVE-2020-36649LOWCVSS 3.5EG 3.52023-01-11
A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to ve…
- CVE-2020-36661LOWCVSS 3.5EG 7.52023-02-12
A vulnerability was found in Kong lua-multipart 0.5.8-1. It has been declared as problematic. This vulnerability affects the function is_header of the file src/multipart.lua. The manipulation leads to inefficient regular expression complex…
- CVE-2020-36830MEDIUMCVSS 4.3EG 4.32024-09-02
A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expres…
- CVE-2020-5243MEDIUMCVSS 5.7EG 5.72020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote…
- CVE-2020-6817HIGHCVSS 7.5EG 7.52023-02-16
bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(...…
- CVE-2021-21317MEDIUMCVSS 5.3EG 5.32021-02-16
uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overl…
- CVE-2021-23354MEDIUMCVSS 5.3EG 5.32021-03-12
The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vu…
- CVE-2021-23362MEDIUMCVSS 5.3EG 5.32021-03-23
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-cas…
- CVE-2021-23364MEDIUMCVSS 5.3EG 5.32021-04-28
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
- CVE-2021-23382MEDIUMCVSS 5.3EG 5.32021-04-26
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* source…
- CVE-2021-23446HIGHCVSS 7.5EG 7.52021-09-29
The package handsontable before 10.0.0; the package handsontable from 0 and before 10.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) in Handsontable.helper.isNumeric function.
- CVE-2021-23490HIGHCVSS 7.5EG 7.52021-12-24
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader function.
- CVE-2021-25292MEDIUMCVSS 6.5EG 6.52021-03-19
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
- CVE-2021-26813HIGHCVSS 7.5EG 7.52021-03-03
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
- CVE-2021-27291HIGHCVSS 7.5EG 7.52021-03-17
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting …
- CVE-2021-28092HIGHCVSS 7.5EG 7.52021-03-12
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a v…
- CVE-2021-32821MEDIUMCVSS 6.2EG 7.52023-01-03
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject…
- CVE-2021-32837HIGHCVSS 7.5EG 7.52023-01-17
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way,…
- CVE-2021-32848HIGHCVSS 7.5EG 7.52023-02-20
Octobox is software for managing GitHub notifications. Prior to pull request (PR) 2807, a user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability. This issue is fixed in PR 2807.
- CVE-2021-33502HIGHCVSS 7.5EG 7.52021-05-24
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
- CVE-2021-35065HIGHCVSS 7.5EG 7.52022-12-26
The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression.
- CVE-2021-3649HIGHCVSS 7.5EG 7.52021-07-16
chatwoot is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-3749HIGHCVSS 7.5EG 7.52021-08-31
axios is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-3765HIGHCVSS 7.5EG 7.52021-11-02
validator.js is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-3777HIGHCVSS 7.5EG 7.52021-09-15
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
- CVE-2021-3794HIGHCVSS 7.5EG 7.52021-09-15
vuelidate is vulnerable to Inefficient Regular Expression Complexity
Map vulnerabilities like CWE-1333 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1333 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →