Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1333 — Vulnerability Class 259

259 vulnerabilities classified as CWE-1333. AI Chinese analysis included.

CWE-1333 represents a software weakness where regular expressions exhibit inefficient, often exponential, worst-case computational complexity. This vulnerability is typically exploited through Regular Expression Denial of Service (ReDoS) attacks, where malicious actors craft specific input strings that trigger catastrophic backtracking within the regex engine. Such inputs force the processor to evaluate an excessive number of potential matches, consuming significant CPU resources and effectively halting application availability. To mitigate this risk, developers must prioritize regex optimization by avoiding nested quantifiers, minimizing ambiguity in pattern structures, and utilizing possessive quantifiers or atomic groups to prevent backtracking. Additionally, implementing strict input length limits and employing regex complexity analysis tools during the development lifecycle can help identify and eliminate inefficient patterns before deployment, ensuring robust application performance against adversarial inputs.

MITRE CWE Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
Mitigations (4)
Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High
System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
ImplementationLimit the length of the input that the regular expression will process.
Effectiveness: Moderate
Examples (2)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;
Bad · Perl
my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-22809 tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability — tarteaucitron.js 4.4 Medium2026-01-13
CVE-2024-58340 LangChain <= 0.3.1 MRKLOutputParser ReDoS — LangChain 7.5AIHighAI2026-01-12
CVE-2026-22691 pypdf has possible long runtimes for malformed startxref — pypdf 6.5 -2026-01-10
CVE-2026-21868 Flag Forge has ReDoS Vulnerability in User Profile Lookup API — flagForge 7.5 High2026-01-08
CVE-2026-0668 VisualData extension: Regular Expression Denial of Service (ReDoS) via crafted user input — MediaWiki - VisualData Extension 7.5 -2026-01-07
CVE-2026-0621 MCP TypeScript SDK UriTemplate Exploded Array Pattern ReDoS — MCP TypeScript SDK 7.5 -2026-01-05
CVE-2025-68475 Fedify has ReDoS Vulnerability in HTML Parsing Regex — fedify 7.5 High2025-12-22
CVE-2025-68142 PyMdown Extensions has ReDOS bug in Figure Capture extension — pymdown-extensions 7.5AIHighAI2025-12-16
CVE-2025-66020 Valibot has a ReDoS vulnerability in `EMOJI_REGEX` — valibot 7.5 High2025-11-26
CVE-2025-62484 Zoom Workplace Clients - Inefficient Regular Expression Complexity — Zoom Workplace 8.1 High2025-11-13
CVE-2025-61581 Apache Traffic Control: ReDoS issue in Traffic Router configuration — Apache Traffic Control 7.5AIHighAI2025-10-16
CVE-2025-61921 Sinatra has ReDoS vulnerability in ETag header value generation — sinatra 7.5AIHighAI2025-10-10
CVE-2025-6051 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-09-14
CVE-2025-6638 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-09-12
CVE-2025-58451 Cattown Vulnerable to Inefficient Regular Expression Complexity and Uncontrolled Resource Consumption — Cattown 7.5AIHighAI2025-09-08
CVE-2025-9670 mixmark-io turndown commonmark-rules.js redos — turndown 5.3 Medium2025-08-29
CVE-2025-43764 Liferay Portal和Liferay DXP 安全漏洞 — Portal 6.5AIMediumAI2025-08-23
CVE-2025-9308 yarnpkg Yarn request-manager.js setOptions redos — Yarn 3.3 Low2025-08-21
CVE-2025-54363 knack 安全漏洞 — Knack 7.5AIHighAI2025-08-20
CVE-2025-54364 knack 安全漏洞 — Knack 7.5AIHighAI2025-08-20
CVE-2025-4690 AngularJS 'linky' filter ReDoS — AngularJS 4.3 Medium2025-08-19
CVE-2025-33090 IBM Concert Software denial of service — Concert Software 7.5 High2025-08-18
CVE-2025-2937 Inefficient Regular Expression Complexity in GitLab — GitLab 6.5 Medium2025-08-13
CVE-2025-5197 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-08-06
CVE-2025-8262 yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos — Yarn 4.3 Medium2025-07-28
CVE-2025-6998 Calibre Web 0.6.24 & Autocaliweb 0.7.0 - ReDoS — Calibre Web 7.5 -2025-07-24
CVE-2025-7579 chinese-poetry server.js redos — chinese-poetry 4.3 Medium2025-07-14
CVE-2025-3933 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5AIHighAI2025-07-11
CVE-2025-53539 ReDoS in fastapi-guard's penetration attempts detector — fastapi-guard 7.5AIHighAI2025-07-07
CVE-2025-3264 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-07-07

Vulnerabilities classified as CWE-1333 represent 259 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.