CWE-1333— Inefficient Regular Expression Complexity (ReDoS)
284 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-1333page 3 of 6
- CVE-2022-24373MEDIUMCVSS 5.3EG 5.32022-09-30
The package react-native-reanimated before 3.0.0-rc.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js.
- CVE-2022-24713HIGHCVSS 7.5EG 7.52022-03-08
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (…
- CVE-2022-24729MEDIUMCVSS 6.5EG 6.52022-03-16
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which c…
- CVE-2022-24836HIGHCVSS 7.5EG 7.52022-04-11
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised…
- CVE-2022-25598HIGHCVSS 7.5EG 7.52022-03-30
Apache DolphinScheduler user registration is vulnerable to Regular express Denial of Service (ReDoS) attacks, Apache DolphinScheduler users should upgrade to version 2.0.5 or higher.
- CVE-2022-25758MEDIUMCVSS 5.3EG 5.32022-07-01
All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.
- CVE-2022-25844MEDIUMCVSS 5.3EG 5.32022-05-01
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre wi…
- CVE-2022-25858MEDIUMCVSS 5.3EG 5.32022-07-15
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
- CVE-2022-25881MEDIUMCVSS 5.3EG 5.32023-01-31
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
- CVE-2022-25883MEDIUMCVSS 5.3EG 5.32023-06-21
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
- CVE-2022-25887MEDIUMCVSS 5.3EG 5.32022-08-30
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
- CVE-2022-25901MEDIUMCVSS 5.3EG 5.32023-01-18
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
- CVE-2022-25918MEDIUMCVSS 5.3EG 5.32022-10-27
The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function.
- CVE-2022-25927MEDIUMCVSS 5.3EG 5.32023-01-26
Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, from 0.8.1 and before 1.0.33 are vulnerable to Regular Expression Denial of Service (ReDoS) via the trim() function.
- CVE-2022-2596MEDIUMCVSS 5.9EG 5.92022-08-01
Inefficient Regular Expression Complexity in GitHub repository node-fetch/node-fetch prior to 3.2.10.
- CVE-2022-26650HIGHCVSS 7.5EG 7.52022-05-17
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious…
- CVE-2022-2908MEDIUMCVSS 4.3EG 4.32022-10-17
A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU us…
- CVE-2022-29158HIGHCVSS 7.5EG 7.52022-09-02
Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Upgrade to 18.12.06 or apply patches at https://issues.apache.org/jir…
- CVE-2022-29167HIGHCVSS 7.4EG 7.42022-05-05
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request …
- CVE-2022-29169HIGHCVSS 7.5EG 7.52022-06-01
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression,…
- CVE-2022-30122HIGHCVSS 7.5EG 7.52022-12-05
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
- CVE-2022-31110MEDIUMCVSS 5.3EG 5.32022-06-29
RSSHub is an open source, extensible RSS feed generator. In commits prior to 5c4177441417 passing some special values to the `filter` and `filterout` parameters can cause an abnormally high CPU. This results in an impact on the performance…
- CVE-2022-31129HIGHCVSS 7.5EG 7.52022-07-06
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more spec…
- CVE-2022-31147HIGHCVSS 7.5EG 7.52022-07-14
The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitra…
- CVE-2022-31781HIGHCVSS 7.5EG 7.52022-07-13
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete…
- CVE-2022-34402MEDIUMCVSS 6.8EG 4.92022-10-10
Dell Wyse ThinOS 2205 contains a Regular Expression Denial of Service Vulnerability in UI. An admin privilege attacker could potentially exploit this vulnerability, leading to denial-of-service.
- CVE-2022-34428MEDIUMCVSS 5.0EG 2.72022-09-30
Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.
- CVE-2022-34749HIGHCVSS 7.5EG 7.52022-07-25
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
- CVE-2022-3514MEDIUMCVSS 4.3EG 5.32023-01-12
An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a…
- CVE-2022-3517HIGHCVSS 7.5EG 7.52022-10-17
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
- CVE-2022-35923HIGHCVSS 7.5EG 7.52022-08-02
v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the `lowercase()` and `uppercase()` regex which could lead to a denial of service attack. In testing …
- CVE-2022-36034HIGHCVSS 7.5EG 7.52022-08-29
nitrado.js is a type safe wrapper for the Nitrado API. Possible ReDoS with lib input of `{{` and with many repetitions of `{{|`. This issue has been patched in all versions above `0.2.5`. There are currently no known workarounds.
- CVE-2022-36064MEDIUMCVSS 5.9EG 5.92022-09-06
Shescape is a shell escape package for JavaScript. An Inefficient Regular Expression Complexity vulnerability impacts users that use Shescape to escape arguments for the Unix shells `Bash` and `Dash`, or any not-officially-supported Unix s…
- CVE-2022-37259HIGHCVSS 7.5EG 7.52022-09-20
A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.
- CVE-2022-37260HIGHCVSS 7.5EG 7.52022-09-15
A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js.
- CVE-2022-37262HIGHCVSS 7.5EG 7.52022-09-15
A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the source and sourceWithComments variable in main.js.
- CVE-2022-37599HIGHCVSS 7.5EG 7.52022-10-11
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
- CVE-2022-37603HIGHCVSS 7.5EG 7.52022-10-14
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
- CVE-2022-37620HIGHCVSS 7.5EG 7.52022-10-31
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.
- CVE-2022-39280MEDIUMCVSS 5.9EG 5.92022-10-06
dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by …
- CVE-2022-40023HIGHCVSS 7.5EG 7.52022-09-07
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
- CVE-2022-40897MEDIUMCVSS 5.9EG 5.92022-12-23
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_i…
- CVE-2022-4131MEDIUMCVSS 4.3EG 5.32023-01-12
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on …
- CVE-2022-41323HIGHCVSS 7.5EG 7.52022-10-16
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
- CVE-2022-42124HIGHCVSS 7.5EG 7.52022-11-15
ReDoS vulnerability in LayoutPageTemplateEntryUpgradeProcess in Liferay Portal 7.3.2 through 7.4.3.4 and Liferay DXP 7.2 fix pack 9 through fix pack 18, 7.3 before update 4, and DXP 7.4 GA allows remote attackers to consume an excessive am…
- CVE-2022-42964MEDIUMCVSS 5.9EG 5.92022-11-09
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method
- CVE-2022-42965LOWCVSS 3.7EG 3.72022-11-09
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method
- CVE-2022-42966MEDIUMCVSS 5.9EG 5.92022-11-09
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method
- CVE-2022-42969MEDIUMCVSS 5.3EG 7.52022-10-16
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: …
- CVE-2022-44570HIGHCVSS 7.5EG 7.52023-02-09
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial o…
Map vulnerabilities like CWE-1333 to your infrastructure
EchelonGraph correlates every CVE — across CWE-1333 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →