Monthly
Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.
Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).
Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.
Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
path-to-regexp versions prior to 8.4.0 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing multiple wildcard parameters combined with path parameters in specific configurations. Unauthenticated remote attackers can craft malicious path patterns containing multiple wildcards (not at the end) to trigger catastrophic regex backtracking, causing denial of service against applications using the affected library. No public exploit code or active exploitation has been confirmed at time of analysis.
Catastrophic backtracking in path-to-regexp versions prior to 0.1.13 enables remote denial of service attacks through specially crafted URLs containing three or more parameters within a single route segment separated by non-period characters. The vulnerability stems from insufficient backtrack protection in regex generation for routes like /:a-:b-:c, allowing unauthenticated attackers to trigger exponential computation times. SSVC framework confirms the vulnerability is automatable with partial technical impact, though no public exploit is identified at time of analysis.
picomatch, a widely-used Node.js glob pattern matching library, contains a Regular Expression Denial of Service (ReDoS) vulnerability when processing crafted extglob patterns such as '+(a|aa)' or nested patterns like '+(+(a))'. The vulnerability affects picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2 (tracked via CPE pkg:npm/picomatch) and allows unauthenticated remote attackers to cause multi-second event-loop blocking with relatively short inputs, resulting in application-wide denial of service. Patches are available from the vendor, and while no KEV listing or EPSS score is provided in the data, the CVSS score of 7.5 (High) reflects the network-accessible, low-complexity attack vector requiring no privileges or user interaction.
A regular expression denial-of-service (ReDoS) vulnerability exists in Pygments up to version 2.19.2, specifically in the AdlLexer component within pygments/lexers/archetype.py. An attacker with local access can craft malicious input that triggers inefficient regex pattern matching, causing high CPU consumption and service degradation. A public proof-of-concept exploit is available, though the vulnerability requires local access and low privileges to exploit, resulting in a CVSS score of 3.3 with Proof-of-Concept availability (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P).
Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.
Regular expression denial of service (ReDoS) in the Addressable Ruby library versions 2.3.0 through 2.8.x allows unauthenticated remote attackers to cause application-level denial of service through maliciously crafted URIs that trigger catastrophic backtracking in URI template expansion. The vulnerability affects URI templates using explode modifiers (e.g., {foo*}, {+var*}) and multi-variable templates with + or # operators (e.g., {+v1,v2,v3}), generating O(2^n) and O(n^k) complexity regex patterns respectively. EPSS exploitation probability and KEV status data not available; no public exploit identified at time of analysis. Vendor-released patch: version 2.9.0.
Denial of service in Gotenberg API (≤8.29.1) allows unauthenticated remote attackers to indefinitely hang worker processes via malicious regular expression patterns. The vulnerability stems from missing timeout enforcement in the dlclark/regexp2 library when compiling user-supplied scope patterns, enabling catastrophic backtracking attacks (CWE-1333). With CVSS 4.0 score 8.7 and high availability impact (VA:H), this represents significant service disruption risk. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication (AV:N/PR:N).
Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.
Denial of service in PraisonAI's MCPToolIndex.search_tools() allows authenticated remote attackers to block the Python thread for hundreds of seconds via a crafted regular expression causing catastrophic backtracking. The vulnerable function compiles caller-supplied query strings directly as regex patterns without validation, timeout, or exception handling. A single malicious request can sustain complete service outage, and the MCP server HTTP transport runs without authentication by default, significantly lowering the practical barrier to exploitation despite the CVSS requiring PR:L.
libssh's match_pattern() function is vulnerable to ReDoS (Regular Expression Denial of Service) attacks when processing maliciously crafted hostnames in client configuration or known_hosts files, allowing local attackers with limited privileges and user interaction to trigger inefficient regex backtracking that exhausts system resources and causes client-side timeouts. The vulnerability affects Red Hat Enterprise Linux 6-10 and OpenShift Container Platform 4, with CVSS 2.2 reflecting low severity due to local attack vector and high complexity requirements, though the denial of service impact warrants attention in environments where SSH client availability is critical.
path-to-regexp versions prior to 8.4.0 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing multiple wildcard parameters combined with path parameters in specific configurations. Unauthenticated remote attackers can craft malicious path patterns containing multiple wildcards (not at the end) to trigger catastrophic regex backtracking, causing denial of service against applications using the affected library. No public exploit code or active exploitation has been confirmed at time of analysis.
Catastrophic backtracking in path-to-regexp versions prior to 0.1.13 enables remote denial of service attacks through specially crafted URLs containing three or more parameters within a single route segment separated by non-period characters. The vulnerability stems from insufficient backtrack protection in regex generation for routes like /:a-:b-:c, allowing unauthenticated attackers to trigger exponential computation times. SSVC framework confirms the vulnerability is automatable with partial technical impact, though no public exploit is identified at time of analysis.
picomatch, a widely-used Node.js glob pattern matching library, contains a Regular Expression Denial of Service (ReDoS) vulnerability when processing crafted extglob patterns such as '+(a|aa)' or nested patterns like '+(+(a))'. The vulnerability affects picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2 (tracked via CPE pkg:npm/picomatch) and allows unauthenticated remote attackers to cause multi-second event-loop blocking with relatively short inputs, resulting in application-wide denial of service. Patches are available from the vendor, and while no KEV listing or EPSS score is provided in the data, the CVSS score of 7.5 (High) reflects the network-accessible, low-complexity attack vector requiring no privileges or user interaction.
A regular expression denial-of-service (ReDoS) vulnerability exists in Pygments up to version 2.19.2, specifically in the AdlLexer component within pygments/lexers/archetype.py. An attacker with local access can craft malicious input that triggers inefficient regex pattern matching, causing high CPU consumption and service degradation. A public proof-of-concept exploit is available, though the vulnerability requires local access and low privileges to exploit, resulting in a CVSS score of 3.3 with Proof-of-Concept availability (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P).