CWE-1333
Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CVE-2015-10005 (GCVE-0-2015-10005)
Vulnerability from cvelistv5
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | markdown-it |
Version: 2.x |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T08:58:24.655Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_transferred" ], "url": "https://vuldb.com/?id.216852" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.216852" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/markdown-it/markdown-it/commit/89c8620157d6e38f9872811620d25138fc9d1b0d" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/markdown-it/markdown-it/releases/tag/3.0.0" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2015-10005", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-11T15:08:47.503395Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-11T15:09:04.522Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "markdown-it", "vendor": "n/a", "versions": [ { "status": "affected", "version": "2.x" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file lib/common/html_re.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is 89c8620157d6e38f9872811620d25138fc9d1b0d. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216852." }, { "lang": "de", "value": "Es wurde eine problematische Schwachstelle in markdown-it bis 2.x ausgemacht. Es geht dabei um eine nicht klar definierte Funktion der Datei lib/common/html_re.js. Durch das Beeinflussen mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 3.0.0 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 89c8620157d6e38f9872811620d25138fc9d1b0d bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-27T08:05:38.793Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.216852" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.216852" }, { "tags": [ "patch" ], "url": "https://github.com/markdown-it/markdown-it/commit/89c8620157d6e38f9872811620d25138fc9d1b0d" }, { "tags": [ "patch" ], "url": "https://github.com/markdown-it/markdown-it/releases/tag/3.0.0" } ], "timeline": [ { "lang": "en", "time": "2022-12-27T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2022-12-27T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2022-12-27T09:10:31.000Z", "value": "VulDB last update" } ], "title": "markdown-it html_re.js redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2015-10005", "datePublished": "2022-12-27T08:05:38.793Z", "dateReserved": "2022-12-27T08:03:51.341Z", "dateUpdated": "2025-04-11T15:09:04.522Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2017-20162 (GCVE-0-2017-20162)
Vulnerability from cvelistv5
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T21:45:25.992Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "technical-description", "x_transferred" ], "url": "https://vuldb.com/?id.217451" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.217451" }, { "tags": [ "exploit", "issue-tracking", "x_transferred" ], "url": "https://github.com/vercel/ms/pull/89" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/vercel/ms/releases/tag/2.0.0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "ms", "vendor": "vercel", "versions": [ { "status": "affected", "version": "1.x" } ] } ], "credits": [ { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451." }, { "lang": "de", "value": "Eine Schwachstelle wurde in vercel ms bis 1.x entdeckt. Sie wurde als problematisch eingestuft. Es geht hierbei um die Funktion parse der Datei index.js. Durch die Manipulation des Arguments str mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 2.0.0 vermag dieses Problem zu l\u00f6sen. Der Patch wird als caae2988ba2a37765d055c4eee63d383320ee662 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T11:42:23.085Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.217451" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.217451" }, { "tags": [ "exploit", "issue-tracking" ], "url": "https://github.com/vercel/ms/pull/89" }, { "tags": [ "patch" ], "url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662" }, { "tags": [ "patch" ], "url": "https://github.com/vercel/ms/releases/tag/2.0.0" } ], "timeline": [ { "lang": "en", "time": "2023-01-05T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2023-01-05T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2023-01-05T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-01-28T16:13:38.000Z", "value": "VulDB entry last update" } ], "title": "vercel ms index.js parse redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2017-20162", "datePublished": "2023-01-05T11:49:24.249Z", "dateReserved": "2023-01-05T11:47:34.603Z", "dateUpdated": "2024-08-05T21:45:25.992Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2017-20165 (GCVE-0-2017-20165)
Vulnerability from cvelistv5
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2017-20165", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-07-18T18:05:03.282364Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-07-18T18:05:10.755Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-08-05T21:45:26.031Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "technical-description", "x_transferred" ], "url": "https://vuldb.com/?id.217665" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.217665" }, { "tags": [ "issue-tracking", "x_transferred" ], "url": "https://github.com/debug-js/debug/pull/504" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/debug-js/debug/releases/tag/3.1.0" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "debug", "vendor": "debug-js", "versions": [ { "status": "affected", "version": "3.0" } ] } ], "credits": [ { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability." }, { "lang": "de", "value": "Es wurde eine Schwachstelle in debug-js debug bis 3.0.x entdeckt. Sie wurde als problematisch eingestuft. Es betrifft die Funktion useColors der Datei src/node.js. Durch Manipulieren des Arguments str mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Ein Aktualisieren auf die Version 3.1.0 vermag dieses Problem zu l\u00f6sen. Der Patch wird als c38a0166c266a679c8de012d4eaccec3f944e685 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 2.7, "vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T11:46:02.719Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.217665" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.217665" }, { "tags": [ "issue-tracking" ], "url": "https://github.com/debug-js/debug/pull/504" }, { "tags": [ "patch" ], "url": "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685" }, { "tags": [ "patch" ], "url": "https://github.com/debug-js/debug/releases/tag/3.1.0" } ], "timeline": [ { "lang": "en", "time": "2023-01-09T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2023-01-09T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2023-01-09T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-01-30T11:16:01.000Z", "value": "VulDB entry last update" } ], "title": "debug-js debug node.js useColors redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2017-20165", "datePublished": "2023-01-09T09:33:18.561Z", "dateReserved": "2023-01-09T09:32:31.462Z", "dateUpdated": "2024-08-05T21:45:26.031Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2018-25049 (GCVE-0-2018-25049)
Vulnerability from cvelistv5
3.0 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | email-existence |
Version: n/a |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:26:39.697Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_transferred" ], "url": "https://vuldb.com/?id.216854" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.216854" }, { "tags": [ "issue-tracking", "x_transferred" ], "url": "https://github.com/nmanousos/email-existence/pull/37" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/nmanousos/email-existence/commit/0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2018-25049", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-04-11T16:46:50.725863Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-04-11T16:47:01.141Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "email-existence", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The name of the patch is 0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56. It is recommended to apply a patch to fix this issue. VDB-216854 is the identifier assigned to this vulnerability." }, { "lang": "de", "value": "Eine problematische Schwachstelle wurde in email-existence ausgemacht. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei index.js. Dank der Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Patch wird als 0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-12-27T08:11:26.781Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.216854" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.216854" }, { "tags": [ "issue-tracking" ], "url": "https://github.com/nmanousos/email-existence/pull/37" }, { "tags": [ "patch" ], "url": "https://github.com/nmanousos/email-existence/commit/0029ba71b6ad0d8ec0baa2ecc6256d038bdd9b56" } ], "timeline": [ { "lang": "en", "time": "2022-12-27T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2022-12-27T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2022-12-27T09:16:18.000Z", "value": "VulDB last update" } ], "title": "email-existence index.js redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2018-25049", "datePublished": "2022-12-27T08:10:40.816Z", "dateReserved": "2022-12-27T08:09:20.592Z", "dateUpdated": "2025-04-11T16:47:01.141Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2018-25061 (GCVE-0-2018-25061)
Vulnerability from cvelistv5
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:26:39.682Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "technical-description", "x_transferred" ], "url": "https://vuldb.com/?id.217151" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.217151" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/christian-bromann/rgb2hex/commit/9e0c38594432edfa64136fdf7bb651835e17c34f" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/christian-bromann/rgb2hex/releases/tag/v0.1.6" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "rgb2hex", "vendor": "n/a", "versions": [ { "status": "affected", "version": "0.1.0" }, { "status": "affected", "version": "0.1.1" }, { "status": "affected", "version": "0.1.2" }, { "status": "affected", "version": "0.1.3" }, { "status": "affected", "version": "0.1.4" }, { "status": "affected", "version": "0.1.5" } ] } ], "credits": [ { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 0.1.6 is able to address this issue. The patch is named 9e0c38594432edfa64136fdf7bb651835e17c34f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217151." }, { "lang": "de", "value": "Eine Schwachstelle wurde in rgb2hex bis 0.1.5 ausgemacht. Sie wurde als problematisch eingestuft. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion. Dank der Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Ein Aktualisieren auf die Version 0.1.6 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 9e0c38594432edfa64136fdf7bb651835e17c34f bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T12:12:53.640Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.217151" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.217151" }, { "tags": [ "patch" ], "url": "https://github.com/christian-bromann/rgb2hex/commit/9e0c38594432edfa64136fdf7bb651835e17c34f" }, { "tags": [ "patch" ], "url": "https://github.com/christian-bromann/rgb2hex/releases/tag/v0.1.6" } ], "timeline": [ { "lang": "en", "time": "2022-12-31T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2022-12-31T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2022-12-31T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-01-26T15:31:20.000Z", "value": "VulDB entry last update" } ], "title": "rgb2hex redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2018-25061", "datePublished": "2022-12-31T19:33:48.503Z", "dateReserved": "2022-12-31T19:30:22.110Z", "dateUpdated": "2024-08-05T12:26:39.682Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2018-25074 (GCVE-0-2018-25074)
Vulnerability from cvelistv5
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:33:47.844Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "technical-description", "x_transferred" ], "url": "https://vuldb.com/?id.218003" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.218003" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/Prestaul/skeemas/commit/65e94eda62dc8dc148ab3e59aa2ccc086ac448fd" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2018-25074", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-25T16:35:48.955757Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-25T16:36:06.912Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "skeemas", "vendor": "Prestaul", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "James Davis" }, { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The patch is named 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003." }, { "lang": "de", "value": "Eine problematische Schwachstelle wurde in Prestaul skeemas gefunden. Betroffen davon ist ein unbekannter Prozess der Datei validators/base.js. Mittels dem Manipulieren des Arguments uri mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Patch wird als 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 2.3, "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T12:28:45.603Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.218003" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.218003" }, { "tags": [ "patch" ], "url": "https://github.com/Prestaul/skeemas/commit/65e94eda62dc8dc148ab3e59aa2ccc086ac448fd" } ], "timeline": [ { "lang": "en", "time": "2023-01-11T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2023-01-11T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2023-01-11T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-02-01T16:02:53.000Z", "value": "VulDB entry last update" } ], "title": "Prestaul skeemas base.js redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2018-25074", "datePublished": "2023-01-11T14:49:09.552Z", "dateReserved": "2023-01-11T14:48:15.980Z", "dateUpdated": "2024-11-25T16:36:06.912Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2018-25077 (GCVE-0-2018-25077)
Vulnerability from cvelistv5
3.5 (Low) - CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
Vendor | Product | Version | ||
---|---|---|---|---|
melnaron | mel-spintax |
Version: n/a |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:33:47.805Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "technical-description", "x_transferred" ], "url": "https://vuldb.com/?id.218456" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.218456" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/melnaron/mel-spintax/commit/37767617846e27b87b63004e30216e8f919637d3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "mel-spintax", "vendor": "melnaron", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "credits": [ { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/spintax.js. The manipulation of the argument text leads to inefficient regular expression complexity. The name of the patch is 37767617846e27b87b63004e30216e8f919637d3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218456." }, { "lang": "de", "value": "Eine problematische Schwachstelle wurde in melnaron mel-spintax ausgemacht. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei lib/spintax.js. Durch das Manipulieren des Arguments text mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Patch wird als 37767617846e27b87b63004e30216e8f919637d3 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 2.3, "vectorString": "AV:A/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T12:32:25.255Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.218456" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.218456" }, { "tags": [ "patch" ], "url": "https://github.com/melnaron/mel-spintax/commit/37767617846e27b87b63004e30216e8f919637d3" } ], "timeline": [ { "lang": "en", "time": "2023-01-16T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2023-01-16T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2023-01-16T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-02-09T08:57:10.000Z", "value": "VulDB entry last update" } ], "title": "melnaron mel-spintax spintax.js redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2018-25077", "datePublished": "2023-01-18T00:58:04.325Z", "dateReserved": "2023-01-16T22:46:47.749Z", "dateUpdated": "2024-08-05T12:33:47.805Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2018-25079 (GCVE-0-2018-25079)
Vulnerability from cvelistv5
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T12:33:47.846Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "x_transferred" ], "url": "https://vuldb.com/?id.220058" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.220058" }, { "tags": [ "issue-tracking", "x_transferred" ], "url": "https://github.com/segmentio/is-url/pull/18" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/segmentio/is-url/commit/149550935c63a98c11f27f694a7c4a9479e53794" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/segmentio/is-url/releases/tag/v1.2.3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "is-url", "vendor": "Segmentio", "versions": [ { "status": "affected", "version": "1.2.0" }, { "status": "affected", "version": "1.2.1" }, { "status": "affected", "version": "1.2.2" } ] } ], "credits": [ { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. Upgrading to version 1.2.3 is able to address this issue. The patch is identified as 149550935c63a98c11f27f694a7c4a9479e53794. It is recommended to upgrade the affected component. VDB-220058 is the identifier assigned to this vulnerability." }, { "lang": "de", "value": "Eine problematische Schwachstelle wurde in Segmentio is-url bis 1.2.2 ausgemacht. Betroffen davon ist ein unbekannter Prozess der Datei index.js. Durch die Manipulation mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Ein Aktualisieren auf die Version 1.2.3 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 149550935c63a98c11f27f694a7c4a9479e53794 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T12:33:38.421Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry" ], "url": "https://vuldb.com/?id.220058" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.220058" }, { "tags": [ "issue-tracking" ], "url": "https://github.com/segmentio/is-url/pull/18" }, { "tags": [ "patch" ], "url": "https://github.com/segmentio/is-url/commit/149550935c63a98c11f27f694a7c4a9479e53794" }, { "tags": [ "patch" ], "url": "https://github.com/segmentio/is-url/releases/tag/v1.2.3" } ], "timeline": [ { "lang": "en", "time": "2023-02-02T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2023-02-02T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2023-02-02T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-03-04T09:07:24.000Z", "value": "VulDB entry last update" } ], "title": "Segmentio is-url index.js redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2018-25079", "datePublished": "2023-02-04T03:57:04.510Z", "dateReserved": "2023-02-02T19:53:38.131Z", "dateUpdated": "2024-08-05T12:33:47.846Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2018-25110 (GCVE-0-2018-25110)
Vulnerability from cvelistv5
- CWE-1333 - Inefficient Regular Expression Complexity
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2018-25110", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-23T15:09:00.284859Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-05-23T15:09:17.479Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "marked", "repo": "https://github.com/markedjs/marked", "versions": [ { "lessThan": "0.3.17", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "type": "reporter", "value": "Josh Bruce" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service." } ], "value": "Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service." } ], "metrics": [ { "cvssV4_0": { "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-05-23T15:02:29.764Z", "orgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647", "shortName": "Checkmarx" }, "references": [ { "tags": [ "issue-tracking" ], "url": "https://github.com/markedjs/marked/issues/1070" }, { "tags": [ "issue-tracking" ], "url": "https://github.com/markedjs/marked/pull/1083" }, { "tags": [ "patch" ], "url": "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485" }, { "tags": [ "exploit" ], "url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110" } ], "source": { "discovery": "UNKNOWN" }, "title": "Regular Expression Denial of Service (ReDoS) in markedjs/marked", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "596c5446-0ce5-4ba2-aa66-48b3b757a647", "assignerShortName": "Checkmarx", "cveId": "CVE-2018-25110", "datePublished": "2025-05-23T14:53:43.335Z", "dateReserved": "2025-05-19T17:17:04.924Z", "dateUpdated": "2025-05-23T15:09:17.479Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2019-25102 (GCVE-0-2019-25102)
Vulnerability from cvelistv5
4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- CWE-1333 - Inefficient Regular Expression Complexity
► | URL | Tags | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Vendor | Product | Version | ||
---|---|---|---|---|
n/a | simple-markdown |
Version: 0.6.0 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T03:00:19.321Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "vdb-entry", "technical-description", "x_transferred" ], "url": "https://vuldb.com/?id.220638" }, { "tags": [ "signature", "permissions-required", "x_transferred" ], "url": "https://vuldb.com/?ctiid.220638" }, { "tags": [ "exploit", "issue-tracking", "x_transferred" ], "url": "https://github.com/ariabuckles/simple-markdown/pull/73" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/ariabuckles/simple-markdown/commit/015a719bf5cdc561feea05500ecb3274ef609cd2" }, { "tags": [ "patch", "x_transferred" ], "url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.6.1" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "simple-markdown", "vendor": "n/a", "versions": [ { "status": "affected", "version": "0.6.0" } ] } ], "credits": [ { "lang": "en", "type": "tool", "value": "VulDB GitHub Commit Analyzer" } ], "descriptions": [ { "lang": "en", "value": "A vulnerability, which was classified as problematic, was found in simple-markdown 0.6.0. Affected is an unknown function of the file simple-markdown.js. The manipulation with the input \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c:/:/:/:/:/:/:/:/:/:/ leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 0.6.1 is able to address this issue. The patch is identified as 015a719bf5cdc561feea05500ecb3274ef609cd2. It is recommended to upgrade the affected component. VDB-220638 is the identifier assigned to this vulnerability." }, { "lang": "de", "value": "Es wurde eine Schwachstelle in simple-markdown 0.6.0 gefunden. Sie wurde als problematisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei simple-markdown.js. Dank der Manipulation mit der Eingabe \u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c\u003c:/:/:/:/:/:/:/:/:/:/ mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 0.6.1 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 015a719bf5cdc561feea05500ecb3274ef609cd2 bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV3_1": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-10-20T12:56:50.469Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.220638" }, { "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.220638" }, { "tags": [ "exploit", "issue-tracking" ], "url": "https://github.com/ariabuckles/simple-markdown/pull/73" }, { "tags": [ "patch" ], "url": "https://github.com/ariabuckles/simple-markdown/commit/015a719bf5cdc561feea05500ecb3274ef609cd2" }, { "tags": [ "patch" ], "url": "https://github.com/ariabuckles/simple-markdown/releases/tag/0.6.1" } ], "timeline": [ { "lang": "en", "time": "2023-02-11T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2023-02-11T00:00:00.000Z", "value": "CVE reserved" }, { "lang": "en", "time": "2023-02-11T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2023-03-10T09:06:29.000Z", "value": "VulDB entry last update" } ], "title": "simple-markdown simple-markdown.js redos" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2019-25102", "datePublished": "2023-02-12T13:31:04.352Z", "dateReserved": "2023-02-11T10:30:57.628Z", "dateUpdated": "2024-08-05T03:00:19.321Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Mitigation
Phase: Architecture and Design
Description:
- Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Mitigation
Phase: System Configuration
Description:
- Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Mitigation
Phase: Implementation
Description:
- Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Mitigation
Phase: Implementation
Description:
- Limit the length of the input that the regular expression will process.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.