Total
294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22640 | 2 Fedoraproject, Tcpdf Project | 2 Fedora, Tcpdf | 2025-05-21 | N/A | 7.5 HIGH |
| TCPDF version <=6.6.5 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML page with a crafted color. | |||||
| CVE-2025-2099 | 1 Huggingface | 1 Transformers | 2025-05-21 | N/A | 7.5 HIGH |
| A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario. | |||||
| CVE-2022-24373 | 1 Swmansion | 1 React Native Reanimated | 2025-05-20 | N/A | 5.3 MEDIUM |
| The package react-native-reanimated before 3.0.0-rc.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in the parser of Colors.js. | |||||
| CVE-2022-21222 | 1 Css-what Project | 1 Css-what | 2025-05-20 | N/A | 5.3 MEDIUM |
| The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function. | |||||
| CVE-2024-21538 | 2025-05-20 | N/A | 7.5 HIGH | ||
| Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string. | |||||
| CVE-2025-24026 | 2025-05-16 | N/A | 5.3 MEDIUM | ||
| iTop is an web based IT Service Management tool. Versions prior to 3.2.1 are vulnerable to regular expression denial of service (ReDoS) that may, under some circumstances, affect iTop server. Version 3.2.1 doesn't use the affected variable in the regular expression. As a workaround, if iTop app_root_url is defined in the configuration file, then there is no possible way to exploit this ReDoS. | |||||
| CVE-2025-4727 | 2025-05-16 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/ddp-server/livedata_server.js. The manipulation of the argument forwardedFor leads to inefficient regular expression complexity. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.2 is able to address this issue. The identifier of the patch is f7ea6817b90952baaea9baace2a3b4366fee6a63. It is recommended to upgrade the affected component. | |||||
| CVE-2024-13896 | 1 Jgehrcke | 1 Wp-geshi-highlight | 2025-05-15 | N/A | 6.5 MEDIUM |
| The WP-GeSHi-Highlight — rock-solid syntax highlighting for 259 languages WordPress plugin through 1.4.3 processes user-supplied input as a regular expression via the wp_geshi_filter_replace_code() function, which could lead to Regular Expression Denial of Service (ReDoS) issue | |||||
| CVE-2022-37603 | 1 Webpack.js | 1 Loader-utils | 2025-05-15 | N/A | 7.5 HIGH |
| A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js. | |||||
| CVE-2022-42969 | 1 Pytest | 1 Py | 2025-05-14 | N/A | 5.3 MEDIUM |
| The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability. | |||||
| CVE-2022-41323 | 1 Djangoproject | 1 Django | 2025-05-14 | N/A | 7.5 HIGH |
| In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression. | |||||
| CVE-2022-2908 | 1 Gitlab | 1 Gitlab | 2025-05-13 | N/A | 4.3 MEDIUM |
| A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field. | |||||
| CVE-2022-3517 | 3 Debian, Fedoraproject, Minimatch Project | 3 Debian Linux, Fedora, Minimatch | 2025-05-13 | N/A | 7.5 HIGH |
| A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. | |||||
| CVE-2022-37620 | 2 Kangax, Terser | 2 Html-minifier, Html-minifier-terser | 2025-05-06 | N/A | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js. | |||||
| CVE-2025-4215 | 2025-05-05 | 2.6 LOW | 3.1 LOW | ||
| A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component. | |||||
| CVE-2022-25918 | 1 Shescape Project | 1 Shescape | 2025-05-05 | N/A | 5.3 MEDIUM |
| The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. | |||||
| CVE-2024-24762 | 3 Encode, Fastapiexpert, Tiangolo | 3 Starlette, Python-multipart, Fastapi | 2025-05-05 | N/A | 7.5 HIGH |
| `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7. | |||||
| CVE-2023-3210 | 1 Gitlab | 1 Gitlab | 2025-05-05 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content. | |||||
| CVE-2023-3205 | 1 Gitlab | 1 Gitlab | 2025-05-05 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content. | |||||
| CVE-2023-3909 | 1 Gitlab | 1 Gitlab | 2025-05-05 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file. | |||||