Total
225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23548 | 1 Discourse | 1 Discourse | 2023-05-16 | N/A | 6.5 MEDIUM |
| Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds. | |||||
| CVE-2023-30858 | 1 Denosaurs | 1 Emoji | 2023-05-08 | N/A | 7.5 HIGH |
| The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has been patched in 0.3.0. As a workaround, avoid using the `replace`, `unemojify`, or `strip` functions. | |||||
| CVE-2023-27704 | 1 Voidtools | 1 Everything | 2023-04-19 | N/A | 5.5 MEDIUM |
| Void Tools Everything lower than v1.4.1.1022 was discovered to contain a Regular Expression Denial of Service (ReDoS). | |||||
| CVE-2021-32848 | 1 Octobox Project | 1 Octobox | 2023-03-01 | N/A | 7.5 HIGH |
| Octobox is software for managing GitHub notifications. Prior to pull request (PR) 2807, a user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability. This issue is fixed in PR 2807. | |||||
| CVE-2020-6817 | 1 Mozilla | 1 Bleach | 2023-02-28 | N/A | 7.5 HIGH |
| bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS). Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}). | |||||
| CVE-2023-24807 | 1 Nodejs | 1 Undici | 2023-02-24 | N/A | 7.5 HIGH |
| Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. | |||||
| CVE-2023-25167 | 1 Discourse | 1 Discourse | 2023-02-18 | N/A | 5.7 MEDIUM |
| Discourse is an open source discussion platform. In affected versions a malicious user can cause a regular expression denial of service using a carefully crafted git URL. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2023-22799 | 1 Rubyonrails | 1 Globalid | 2023-02-16 | N/A | 7.5 HIGH |
| A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
| CVE-2023-25166 | 1 Hapi | 1 Formula | 2023-02-16 | N/A | 6.5 MEDIUM |
| formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-23621 | 1 Discourse | 1 Discourse | 2023-02-14 | N/A | 7.5 HIGH |
| Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches, a malicious user can cause a regular expression denial of service using a carefully crafted user agent. This issue is patched in version 3.0.1 on the `stable` branch and version 3.1.0.beta2 on the `beta` and `tests-passed` branches. There are no known workarounds. | |||||
| CVE-2021-35065 | 1 Gulpjs | 1 Glob-parent | 2023-01-23 | N/A | 7.5 HIGH |
| The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. | |||||
| CVE-2022-3514 | 1 Gitlab | 1 Gitlab | 2023-01-18 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser. | |||||
| CVE-2022-4131 | 1 Gitlab | 1 Gitlab | 2023-01-18 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents. | |||||
| CVE-2021-32821 | 1 Mootools | 1 Mootools | 2023-01-10 | N/A | 7.5 HIGH |
| MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to Regular Expression Denial of Service (ReDoS). An attack requires that an attacker can inject a string into a CSS selector at runtime, which is quite common with e.g. jQuery CSS selectors. No patches are available for this issue. | |||||
| CVE-2020-1920 | 1 Facebook | 1 React-native | 2022-10-06 | 5.0 MEDIUM | 7.5 HIGH |
| A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash. This was introduced in react-native version 0.59.0 and fixed in version 0.64.1. | |||||
| CVE-2021-43843 | 1 Jsx-slack Project | 1 Jsx-slack | 2022-08-09 | 5.0 MEDIUM | 7.5 HIGH |
| jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters. | |||||
| CVE-2021-3820 | 1 Inflect Project | 1 Inflect | 2022-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| inflect is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-3801 | 1 Prismjs | 1 Prism | 2022-07-29 | 4.3 MEDIUM | 6.5 MEDIUM |
| prism is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-3794 | 1 Vuelidate Project | 1 Vuelidate | 2022-07-29 | 5.0 MEDIUM | 7.5 HIGH |
| vuelidate is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-3777 | 1 Tmpl Project | 1 Tmpl | 2022-07-29 | 7.8 HIGH | 7.5 HIGH |
| nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity | |||||