Total
201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-28755 | 3 Debian, Fedoraproject, Ruby-lang | 3 Debian Linux, Fedora, Uri | 2024-05-04 | N/A | 5.3 MEDIUM |
| A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. | |||||
| CVE-2024-26142 | 2024-05-03 | N/A | 7.5 HIGH | ||
| Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. | |||||
| CVE-2024-26146 | 2024-04-29 | N/A | 5.3 MEDIUM | ||
| Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1. | |||||
| CVE-2024-25126 | 2024-04-29 | N/A | 5.3 MEDIUM | ||
| Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1. | |||||
| CVE-2024-3772 | 2024-04-26 | N/A | 5.9 MEDIUM | ||
| Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string. | |||||
| CVE-2023-36053 | 3 Debian, Djangoproject, Fedoraproject | 3 Debian Linux, Django, Fedora | 2024-04-20 | N/A | 7.5 HIGH |
| In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. | |||||
| CVE-2024-1892 | 2024-04-16 | N/A | 7.5 HIGH | ||
| A Regular Expression Denial of Service (ReDoS) vulnerability exists in the XMLFeedSpider class of the scrapy/scrapy project, specifically in the parsing of XML content. By crafting malicious XML content that exploits inefficient regular expression complexity used in the parsing process, an attacker can cause a denial-of-service (DoS) condition. This vulnerability allows for the system to hang and consume significant resources, potentially rendering services that utilize Scrapy for XML processing unresponsive. | |||||
| CVE-2023-4316 | 1 Zod | 1 Zod | 2024-04-04 | N/A | 7.5 HIGH |
| Zod in versions 3.21.0 up to and including 3.22.3 allows an attacker to perform a denial of service while validating emails. | |||||
| CVE-2024-28865 | 2024-03-19 | N/A | 7.5 HIGH | ||
| django-wiki is a wiki system for Django. Installations of django-wiki prior to version 0.10.1 are vulnerable to maliciously crafted article content that can cause severe use of server CPU through a regular expression loop. Version 0.10.1 fixes this issue. As a workaround, close off access to create and edit articles by anonymous users. | |||||
| CVE-2024-21503 | 2024-03-19 | N/A | 5.3 MEDIUM | ||
| Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings. | |||||
| CVE-2024-28864 | 2024-03-19 | N/A | 2.6 LOW | ||
| SecureProps is a PHP library designed to simplify the encryption and decryption of property data in objects. A vulnerability in SecureProps version 1.2.0 and 1.2.1 involves a regex failing to detect tags during decryption of encrypted data. This occurs when the encrypted data has been encoded with `NullEncoder` and passed to `TagAwareCipher`, and contains special characters such as `\n`. As a result, the decryption process is skipped since the tags are not detected. This causes the encrypted data to be returned in plain format. The vulnerability affects users who implement `TagAwareCipher` with any base cipher that has `NullEncoder` (not default). The patch for the issue has been released. Users are advised to update to version 1.2.2. As a workaround, one may use the default `Base64Encoder` with the base cipher decorated with `TagAwareCipher` to prevent special characters in the encrypted string from interfering with regex tag detection logic. This workaround is safe but may involve double encoding since `TagAwareCipher` uses `NullEncoder` by default. | |||||
| CVE-2022-37599 | 1 Webpack.js | 1 Loader-utils | 2024-02-28 | N/A | 7.5 HIGH |
| A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. | |||||
| CVE-2024-27088 | 2024-02-26 | N/A | N/A | ||
| es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63. | |||||
| CVE-2024-24762 | 1 Tiangolo | 1 Fastapi | 2024-02-17 | N/A | 7.5 HIGH |
| `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7. | |||||
| CVE-2017-16021 | 1 Garycourt | 1 Uri-js | 2024-02-15 | 6.8 MEDIUM | 6.5 MEDIUM |
| uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier. | |||||
| CVE-2023-22467 | 1 Momentjs | 1 Luxon | 2024-02-12 | N/A | 7.5 HIGH |
| Luxon is a library for working with dates and times in JavaScript. On the 1.x branch prior to 1.38.1, the 2.x branch prior to 2.5.2, and the 3.x branch on 3.2.1, Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with lengths above 10k characters. Users providing untrusted data to this method are therefore vulnerable to (Re)DoS attacks. This issue also appears in Moment as CVE-2022-31129. Versions 1.38.1, 2.5.2, and 3.2.1 contain patches for this issue. As a workaround, limit the length of the input. | |||||
| CVE-2015-8854 | 2 Fedoraproject, Marked Project | 2 Fedora, Marked | 2024-02-09 | 7.8 HIGH | 7.5 HIGH |
| The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)." | |||||
| CVE-2015-8315 | 1 Vercel | 1 Ms | 2024-02-08 | 7.8 HIGH | 7.5 HIGH |
| The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | |||||
| CVE-2021-21317 | 1 Uap-core Project | 1 Uap-core | 2024-02-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes. | |||||
| CVE-2019-16215 | 1 Zulip | 1 Zulip Server | 2024-02-08 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages. | |||||