EUVD-2026-33820
GHSA-95f6-rfpg-c3w8
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the component Session Grep Endpoint. The manipulation of the argument body.pattern leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to version 3.7.1 is sufficient to resolve this issue. The identifier of the patch is 3f970a974c65a94555c25af9f2796f11315e4584. It is recommended to upgrade the affected component.
AnalysisAI
Regular expression denial of service in Enderfga claw-orchestrator 3.7.0 and earlier allows authenticated remote attackers to degrade service availability by submitting crafted patterns to the Session Grep Endpoint. The validateRegex function in claw-orchestrator/src/embedded-server.ts passes user-supplied body.pattern directly to the V8 JavaScript regex engine, which uses backtracking and can be forced into exponential-time evaluation via patterns like (a+)+$. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with at least low-privilege access (PR:L per CVSS vector) to submit requests to the /session/grep endpoint or invoke the session-grep tool. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) is consistent with the realistic threat model: AV:N/AC:L/PR:L/UI:N means network-reachable, low-complexity exploitation by any authenticated user, but S:U/C:N/I:N/A:L bounds the worst-case impact to partial availability loss rather than full system compromise or data exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with low-privileged access sends a POST request to the /session/grep endpoint with a body.pattern value containing a pathological regex such as (a+)+$ followed by a long non-matching string. The V8 regex engine enters exponential backtracking, consuming a single CPU core and blocking the Node.js event loop for seconds or minutes per request. … |
| Remediation | Upgrade to claw-orchestrator v3.7.1, released 2026-05-11, which is the vendor-confirmed patched release available at https://github.com/Enderfga/claw-orchestrator/releases/tag/v3.7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today