Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1333 — Vulnerability Class 259

259 vulnerabilities classified as CWE-1333. AI Chinese analysis included.

CWE-1333 represents a software weakness where regular expressions exhibit inefficient, often exponential, worst-case computational complexity. This vulnerability is typically exploited through Regular Expression Denial of Service (ReDoS) attacks, where malicious actors craft specific input strings that trigger catastrophic backtracking within the regex engine. Such inputs force the processor to evaluate an excessive number of potential matches, consuming significant CPU resources and effectively halting application availability. To mitigate this risk, developers must prioritize regex optimization by avoiding nested quantifiers, minimizing ambiguity in pattern structures, and utilizing possessive quantifiers or atomic groups to prevent backtracking. Additionally, implementing strict input length limits and employing regex complexity analysis tools during the development lifecycle can help identify and eliminate inefficient patterns before deployment, ensuring robust application performance against adversarial inputs.

MITRE CWE Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
Mitigations (4)
Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High
System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
ImplementationLimit the length of the input that the regular expression will process.
Effectiveness: Moderate
Examples (2)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;
Bad · Perl
my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2025-3263 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-07-07
CVE-2025-3262 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-07-07
CVE-2025-7074 vercel hyper rimraf-standalone.js ignoreMap redos — hyper 4.3 Medium2025-07-05
CVE-2025-43880 Weseek Growi 安全漏洞 — GROWI 6.5AIMediumAI2025-06-25
CVE-2025-6493 CodeMirror Markdown Mode markdown.js redos — CodeMirror 5.3 Medium2025-06-22
CVE-2025-6492 MarkText index.js getRecommendTitleFromMarkdownString redos — MarkText 5.3 Medium2025-06-22
CVE-2024-4025 Inefficient Regular Expression Complexity in GitLab — GitLab 6.5 Medium2025-06-20
CVE-2025-48059 PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion — powsybl-core 7.5AIHighAI2025-06-20
CVE-2025-48058 PowSyBl Core contains Polynomial REDoS’es — powsybl-core 7.5AIHighAI2025-06-20
CVE-2025-6069 HTMLParser quadratic complexity when processing malformed inputs — CPython 4.3 Medium2025-06-17
CVE-2025-5897 vuejs vue-cli Markdown Code HtmlPwaPlugin.js HtmlPwaPlugin redos — vue-cli 4.3 Medium2025-06-09
CVE-2025-5896 tarojs taro index.js redos — taro 4.3 Medium2025-06-09
CVE-2025-5895 Metabase dom.js parseDataUri redos — Metabase 4.3 Medium2025-06-09
CVE-2025-5892 RocketChat parseMessage.js parseMessage redos — RocketChat 4.3 Medium2025-06-09
CVE-2025-5891 Unitech pm2 Config.js redos — pm2 4.3 Medium2025-06-09
CVE-2025-5890 actions toolkit glob internal-pattern.ts globEscape redos — toolkit 4.3 Medium2025-06-09
CVE-2025-5889 juliangruber brace-expansion index.js expand redos — brace-expansion 3.1 Low2025-06-09
CVE-2025-48887 vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py` — vllm 6.5 Medium2025-05-30
CVE-2018-25110 Regular Expression Denial of Service (ReDoS) in markedjs/marked 7.5AIHighAI2025-05-23
CVE-2025-2099 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-05-19
CVE-2025-4727 Meteor livedata_server.js Object.assign redos — Meteor 3.7 Low2025-05-15
CVE-2025-24026 iTop Inefficient Regular Expression Complexity vulnerability — iTop 5.3 Medium2025-05-14
CVE-2025-4215 gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos — uBlock Origin 3.1 Low2025-05-02
CVE-2025-46560 vLLM phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service — vllm 6.5 Medium2025-04-30
CVE-2025-1194 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5AIHighAI2025-04-29
CVE-2025-3986 Apereo CAS CasConfigurationMetadataServerController.java redos — CAS 4.3 Medium2025-04-27
CVE-2025-3985 Apereo CAS ResponseEntity redos — CAS 2.7 Low2025-04-27
CVE-2025-2811 GL.iNet GL-A1300 Slate Plus API redos — GL-A1300 Slate Plus 5.7 Medium2025-04-26
CVE-2025-2833 zhangyd-c OneBlog HTTP Header redos — OneBlog 5.3 Medium2025-03-27
CVE-2024-10549 Denial of Service by ReDOS in h2oai/h2o-3 — h2oai/h2o-3 7.5 -2025-03-20

Vulnerabilities classified as CWE-1333 represent 259 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.