Skip to main content

GROWI EUVDEUVD-2026-25199

| CVE-2026-41040 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-04-23 jpcert GHSA-vjmw-64m9-xqq5
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 08:00 vuln.today
CVSS changed
Apr 23, 2026 - 07:35 NVD
7.5 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Apr 23, 2026 - 07:30 euvd
EUVD-2026-25199
Analysis Generated
Apr 23, 2026 - 07:30 vuln.today
CVE Published
Apr 23, 2026 - 06:59 nvd
HIGH 8.7

DescriptionCVE.org

GROWI provided by GROWI, Inc. is vulnerable to a regular expression denial of service (ReDoS) via a crafted input string.

AnalysisAI

Remote denial of service via regular expression attack in GROWI allows unauthenticated network attackers to exhaust server resources by submitting maliciously crafted input strings that trigger catastrophic backtracking in regex processing (CWE-1333). GROWI, Inc.'s collaboration platform is vulnerable to ReDoS with a CVSS 4.0 base score of 8.7 (High), reflecting high availability impact through network-accessible, low-complexity exploitation requiring no privileges or user interaction. No CISA KEV listing or public exploit code identified at time of analysis, though vendor advisory confirms the vulnerability and provides remediation guidance.

Technical ContextAI

GROWI is a team collaboration and wiki platform developed by GROWI, Inc., commonly deployed for knowledge management and documentation. Regular Expression Denial of Service (ReDoS/CWE-1333) occurs when poorly optimized regular expressions exhibit catastrophic backtracking behavior on specially crafted input. When a regex contains nested quantifiers or overlapping patterns (e.g., (a+)+, (a|a)*, (a*)*), the regex engine may enter exponential time complexity when matching against adversarial input, consuming excessive CPU cycles and potentially blocking event loops or thread pools. In Node.js-based applications like GROWI, ReDoS attacks can freeze the main thread, preventing the server from processing legitimate requests. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates the vulnerable regex processing occurs on network-reachable endpoints without requiring authentication, making this a high-exposure attack surface.

RemediationAI

Apply the vendor-released patch as specified in GROWI's official security advisory at https://growi.co.jp/news/44/. Upgrade to the patched GROWI version identified in the advisory-exact fix version should be verified from vendor documentation as NVD data does not specify the remediated release. If immediate patching is not feasible, implement rate limiting and request size restrictions on input endpoints to reduce ReDoS impact: configure reverse proxies (nginx, Apache) with client_body_timeout and send_timeout directives to terminate slow requests (trade-off: may impact legitimate users on slow connections), deploy Web Application Firewall rules to detect and block repetitive pattern submissions (trade-off: requires pattern tuning to avoid false positives), and apply per-IP connection limits to prevent single-source exhaustion attacks (trade-off: ineffective against distributed attacks). These compensating controls mitigate but do not eliminate the vulnerability. Monitor application server CPU usage and response times for anomalous spikes indicating active exploitation attempts.

More in Growi

View all
CVE-2021-20736 CRITICAL
9.1 Jun 22

NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the inf

CVE-2019-5968 HIGH
8.8 Jul 05

Cross-site request forgery (CSRF) vulnerability in GROWI v3.4.6 and earlier allows remote attackers to hijack the authen

CVE-2026-25083 HIGH
8.7 Mar 16

Cross-user data exposure and tampering in GROWI v7.4.5 and earlier allows any authenticated user who learns a shared AI

CVE-2026-41951 HIGH
8.6 May 11

Remote path traversal in GROWI v7.5.0 and earlier allows authenticated administrators to execute arbitrary EJS templates

CVE-2021-20670 HIGH
7.5 Mar 10

Improper access control vulnerability in GROWI versions v4.2.2 and earlier allows a remote unauthenticated attacker to r

CVE-2020-5683 HIGH
7.5 Dec 16

Directory traversal vulnerability in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1

CVE-2020-5682 HIGH
7.5 Dec 16

Improper input validation in GROWI versions prior to v4.2.3 (v4.2 Series), GROWI versions prior to v4.1.12 (v4.1 Series)

CVE-2020-5676 HIGH
7.5 Dec 03

GROWI v4.1.3 and earlier allow remote attackers to obtain information which is not allowed to access via unspecified vec

CVE-2019-13338 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, a remote attacker can obtain the password hash of the creator of a page by leveraging wiki

CVE-2019-13337 HIGH
7.5 Jul 09

In WESEEK GROWI before 3.5.0, the site-wide basic authentication can be bypassed by adding a URL parameter access_token

CVE-2021-20671 HIGH
7.2 Mar 10

Invalid file validation on the upload feature in GROWI versions v4.2.2 allows a remote attacker with administrative priv

CVE-2023-50332 MEDIUM
6.5 Dec 26

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6

Share

EUVD-2026-25199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy