Total
225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-21680 | 2 Fedoraproject, Marked Project | 2 Fedora, Marked | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. | |||||
| CVE-2021-43309 | 1 Litejs | 1 Uri-template-lite | 2023-11-07 | N/A | 7.5 HIGH |
| An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the "URI.expand" method | |||||
| CVE-2021-3749 | 3 Axios, Oracle, Siemens | 3 Axios, Goldengate, Sinec Ins | 2023-11-07 | 7.8 HIGH | 7.5 HIGH |
| axios is vulnerable to Inefficient Regular Expression Complexity | |||||
| CVE-2021-27291 | 3 Debian, Fedoraproject, Pygments | 3 Debian Linux, Fedora, Pygments | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. | |||||
| CVE-2021-26813 | 2 Fedoraproject, Markdown2 Project | 2 Fedora, Markdown2 | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time. | |||||
| CVE-2020-26302 | 1 Is.js Project | 1 Is.js | 2023-11-07 | N/A | 7.5 HIGH |
| is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to loop “forever." This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. is.js has no patch for this issue. | |||||
| CVE-2023-45813 | 2 Torbot Project, Validators Project | 2 Torbot, Validators | 2023-10-30 | N/A | 7.5 HIGH |
| Torbot is an open source tor network intelligence tool. In affected versions the `torbot.modules.validators.validate_link function` uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause an application crash using a well-crafted argument. An attacker can use a well-crafted URL argument to exploit the vulnerability in the regular expression and cause a Denial of Service on the system. The validators file has been removed in version 4.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-3906 | 1 Gitlab | 1 Gitlab | 2023-10-02 | N/A | 3.5 LOW |
| An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy. | |||||
| CVE-2023-43646 | 1 Chaijs | 1 Get-func-name | 2023-10-02 | N/A | 7.5 HIGH |
| get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-42965 | 1 Snowflake | 1 Snowflake-connector-python | 2023-09-25 | N/A | 7.5 HIGH |
| An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the undocumented get_file_transfer_type method | |||||
| CVE-2022-23514 | 1 Loofah Project | 1 Loofah | 2023-09-13 | N/A | 7.5 HIGH |
| Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue is patched in version 2.19.1. | |||||
| CVE-2023-40599 | 1 Synck Graphica | 1 Mailform Pro Cgi | 2023-08-31 | N/A | 7.5 HIGH |
| Regular expression Denial-of-Service (ReDoS) exists in multiple add-ons for Mailform Pro CGI 4.3.1.3 and earlier, which allows a remote unauthenticated attacker to cause a denial-of-service condition. Affected add-ons are as follows: call/call.js, prefcodeadv/search.cgi, estimate/estimate.js, search/search.js, suggest/suggest.js, and coupon/coupon.js. | |||||
| CVE-2022-37620 | 1 Html-minifier Project | 1 Html-minifier | 2023-08-08 | N/A | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js. | |||||
| CVE-2021-23382 | 1 Postcss | 1 Postcss | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*). | |||||
| CVE-2021-23354 | 1 Adaltas | 1 Printf | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity. | |||||
| CVE-2021-40892 | 1 Validate Color Project | 1 Validate Color | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color v2.1.0 when handling crafted invalid rgb(a) strings. | |||||
| CVE-2021-40896 | 1 That-value Project | 1 That-value | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in that-value v0.1.3 when validating crafted invalid emails. | |||||
| CVE-2021-40901 | 1 Scniro-validator Project | 1 Scniro-validator | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scniro-validator v1.0.1 when validating crafted invalid emails. | |||||
| CVE-2022-37260 | 1 Stealjs | 1 Steal | 2023-08-08 | N/A | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the input variable in main.js. | |||||
| CVE-2022-25758 | 1 Scss-tokenizer Project | 1 Scss-tokenizer | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex. | |||||