Vulnerabilities (CVE)

Filtered by CWE-1333
Total 254 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-3749 3 Axios, Oracle, Siemens 3 Axios, Goldengate, Sinec Ins 2024-02-28 7.8 HIGH 7.5 HIGH
axios is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-23364 1 Browserslist Project 1 Browserslist 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
CVE-2021-28092 1 Is-svg Project 1 Is-svg 2024-02-28 5.0 MEDIUM 7.5 HIGH
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
CVE-2021-27291 3 Debian, Fedoraproject, Pygments 3 Debian Linux, Fedora, Pygments 2024-02-28 5.0 MEDIUM 7.5 HIGH
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
CVE-2021-23362 2 Npmjs, Siemens 2 Hosted-git-info, Sinec Infrastructure Network Services 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVE-2021-26813 2 Fedoraproject, Markdown2 Project 2 Fedora, Markdown2 2024-02-28 5.0 MEDIUM 7.5 HIGH
markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or delayed for an extended period of time.
CVE-2021-23354 1 Adaltas 1 Printf 2024-02-28 5.0 MEDIUM 7.5 HIGH
The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string /\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.
CVE-2021-21317 1 Uap-core Project 1 Uap-core 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.
CVE-2021-25292 1 Python 1 Pillow 2024-02-28 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in Pillow before 8.1.1. The PDF parser allows a regular expression DoS (ReDoS) attack via a crafted PDF file because of a catastrophic backtracking regex.
CVE-2020-5243 1 Uap-core Project 1 Uap-core 2024-02-28 5.0 MEDIUM 7.5 HIGH
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This has been patched in uap-core 0.7.3.
CVE-2019-16215 1 Zulip 1 Zulip Server 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
The Markdown parser in Zulip server before 2.0.5 used a regular expression vulnerable to exponential backtracking. A user who is logged into the server could send a crafted message causing the server to spend an effectively arbitrary amount of CPU time and stall the processing of future messages.
CVE-2019-12041 1 Remarkable Project 1 Remarkable 2024-02-28 5.0 MEDIUM 7.5 HIGH
lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression Denial of Service (ReDoS) via a CDATA section.
CVE-2017-16021 1 Garycourt 1 Uri-js 2024-02-28 6.8 MEDIUM 6.5 MEDIUM
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
CVE-2015-8854 2 Fedoraproject, Marked Project 2 Fedora, Marked 2024-02-28 7.8 HIGH 7.5 HIGH
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."