Monthly
Catastrophic backtracking in Symfony's YAML component (symfony/yaml) allows denial of service via crafted input to the Parser::cleanup() method. The four regexes responsible for stripping %YAML directive headers, leading comments, and document start/end markers contain overlapping quantifiers - notably `[\d.]+` and `.*` both matching the dot character - enabling an attacker supplying a single oversized directive header or comment line to cause the PHP process to hang indefinitely. Affected branches span symfony/yaml and symfony/symfony packages across the 5.4, 6.x, and 7.x release lines. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
{{ x | strip_html }}. A remote, unauthenticated attacker who submits a string containing many unbalanced <script, <style, or <!-- opener tokens (for example a single ~350 KB body) forces O(N^2) V8 regex backtracking that blocks the single-threaded Node.js event loop for roughly 10 seconds, stalling every other request on the worker. A proof-of-concept with measured scaling is published in the GitHub Security Advisory (GHSA-r7g9-xpmj-5fcq); the issue is not listed in CISA KEV and no EPSS score was provided.
Pre-authentication denial of service in Parse Server (npm parse-server) lets a remote attacker who knows a publicly-known Parse Application ID pin a Node.js worker for seconds to minutes by sending a single crafted request with adversarial input in the X-Parse-Client-Version header or _ClientVersion JSON body field. The vulnerable client SDK version parser executes before session authentication and rate limiting on every /parse/* route, so a handful of concurrent requests can starve worker capacity. No public exploit identified at time of analysis, but the vendor advisory (GHSA-38m6-82c8-4xfm) and merged patch PRs confirm the issue and provide regression tests demonstrating the trigger.
Resource exhaustion in the Python idna library's idna.encode() function allows denial-of-service via specially crafted Unicode inputs that bypass the incomplete CVE-2024-3651 remediation. Affected versions process CONTEXTO-class codepoints - such as Arabic-Indic digit zero (U+0660) or Katakana middle dot (U+30FB) - through the valid_contexto validation function before length rejection occurs, enabling arbitrarily large inputs to consume significant CPU. Any Python application that passes unvalidated user input to idna.encode() or related per-label/codec functions without upstream length enforcement is exposed; no public exploit has been identified at time of analysis beyond the PoC payloads embedded in the advisory itself.
Regular expression denial-of-service (ReDoS) in HAPI FHIR's FHIRPathEngine allows remote unauthenticated attackers to exhaust CPU resources by submitting FHIR resources containing crafted FHIRPath expressions that invoke matches(), matchesFull(), or replaceMatches() with catastrophically backtracking regex patterns. Affected versions are org.hl7.fhir.* Maven artifacts at or below 6.9.6, with publicly available exploit code exists via the GitHub Security Advisory PoC (pattern (a+)+$ against a long string). CVSS 7.5 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified in the wild and no CISA KEV listing.
Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the `<svelte:element>` component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.
Regular expression denial of service in multiparty (npm package) versions 4.2.3 and below allows remote unauthenticated attackers to block the Node.js event loop for seconds via crafted Content-Disposition headers in multipart uploads. The vulnerability triggers catastrophic backtracking in the filename parameter parser with headers as small as 8 KB. Fixed in multiparty 4.3.0. EPSS data not available; no active exploitation confirmed at time of analysis, but the low complexity (AV:N/AC:L/PR:N/UI:N) and availability of detailed public advisory increase weaponization risk for any web service accepting file uploads through this library.
Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.
Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.
Denial of service in giskard-checks RegexMatching check via unguarded regex pattern matching allows local attackers with write access to check definitions to trigger catastrophic backtracking in Python's re.search() function, causing process hangs and disrupting CI/CD pipelines or automated test execution.
Catastrophic backtracking in Symfony's YAML component (symfony/yaml) allows denial of service via crafted input to the Parser::cleanup() method. The four regexes responsible for stripping %YAML directive headers, leading comments, and document start/end markers contain overlapping quantifiers - notably `[\d.]+` and `.*` both matching the dot character - enabling an attacker supplying a single oversized directive header or comment line to cause the PHP process to hang indefinitely. Affected branches span symfony/yaml and symfony/symfony packages across the 5.4, 6.x, and 7.x release lines. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
{{ x | strip_html }}. A remote, unauthenticated attacker who submits a string containing many unbalanced <script, <style, or <!-- opener tokens (for example a single ~350 KB body) forces O(N^2) V8 regex backtracking that blocks the single-threaded Node.js event loop for roughly 10 seconds, stalling every other request on the worker. A proof-of-concept with measured scaling is published in the GitHub Security Advisory (GHSA-r7g9-xpmj-5fcq); the issue is not listed in CISA KEV and no EPSS score was provided.
Pre-authentication denial of service in Parse Server (npm parse-server) lets a remote attacker who knows a publicly-known Parse Application ID pin a Node.js worker for seconds to minutes by sending a single crafted request with adversarial input in the X-Parse-Client-Version header or _ClientVersion JSON body field. The vulnerable client SDK version parser executes before session authentication and rate limiting on every /parse/* route, so a handful of concurrent requests can starve worker capacity. No public exploit identified at time of analysis, but the vendor advisory (GHSA-38m6-82c8-4xfm) and merged patch PRs confirm the issue and provide regression tests demonstrating the trigger.
Resource exhaustion in the Python idna library's idna.encode() function allows denial-of-service via specially crafted Unicode inputs that bypass the incomplete CVE-2024-3651 remediation. Affected versions process CONTEXTO-class codepoints - such as Arabic-Indic digit zero (U+0660) or Katakana middle dot (U+30FB) - through the valid_contexto validation function before length rejection occurs, enabling arbitrarily large inputs to consume significant CPU. Any Python application that passes unvalidated user input to idna.encode() or related per-label/codec functions without upstream length enforcement is exposed; no public exploit has been identified at time of analysis beyond the PoC payloads embedded in the advisory itself.
Regular expression denial-of-service (ReDoS) in HAPI FHIR's FHIRPathEngine allows remote unauthenticated attackers to exhaust CPU resources by submitting FHIR resources containing crafted FHIRPath expressions that invoke matches(), matchesFull(), or replaceMatches() with catastrophically backtracking regex patterns. Affected versions are org.hl7.fhir.* Maven artifacts at or below 6.9.6, with publicly available exploit code exists via the GitHub Security Advisory PoC (pattern (a+)+$ against a long string). CVSS 7.5 reflects high availability impact with no confidentiality or integrity loss; no public exploit identified in the wild and no CISA KEV listing.
Regular expression denial of service (ReDoS) in Svelte 5.51.5 through 5.55.6 allows attackers to cause application hang or crash by passing unconstrained-length tag names to the `<svelte:element>` component, triggering exponential regex evaluation time in the runtime tag validation logic. The vulnerability requires applications to accept user-controlled tag input without length or content restrictions.
Regular expression denial of service in multiparty (npm package) versions 4.2.3 and below allows remote unauthenticated attackers to block the Node.js event loop for seconds via crafted Content-Disposition headers in multipart uploads. The vulnerability triggers catastrophic backtracking in the filename parameter parser with headers as small as 8 KB. Fixed in multiparty 4.3.0. EPSS data not available; no active exploitation confirmed at time of analysis, but the low complexity (AV:N/AC:L/PR:N/UI:N) and availability of detailed public advisory increase weaponization risk for any web service accepting file uploads through this library.
Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.
Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.
Denial of service in giskard-checks RegexMatching check via unguarded regex pattern matching allows local attackers with write access to check definitions to trigger catastrophic backtracking in Python's re.search() function, causing process hangs and disrupting CI/CD pipelines or automated test execution.