Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1333 — Vulnerability Class 259

259 vulnerabilities classified as CWE-1333. AI Chinese analysis included.

CWE-1333 represents a software weakness where regular expressions exhibit inefficient, often exponential, worst-case computational complexity. This vulnerability is typically exploited through Regular Expression Denial of Service (ReDoS) attacks, where malicious actors craft specific input strings that trigger catastrophic backtracking within the regex engine. Such inputs force the processor to evaluate an excessive number of potential matches, consuming significant CPU resources and effectively halting application availability. To mitigate this risk, developers must prioritize regex optimization by avoiding nested quantifiers, minimizing ambiguity in pattern structures, and utilizing possessive quantifiers or atomic groups to prevent backtracking. Additionally, implementing strict input length limits and employing regex complexity analysis tools during the development lifecycle can help identify and eliminate inefficient patterns before deployment, ensuring robust application performance against adversarial inputs.

MITRE CWE Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
Mitigations (4)
Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High
System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
ImplementationLimit the length of the input that the regular expression will process.
Effectiveness: Moderate
Examples (2)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;
Bad · Perl
my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2024-12720 Regular Expression Denial of Service (ReDoS) in huggingface/transformers — huggingface/transformers 7.5 -2025-03-20
CVE-2024-8998 Regular Expression Denial of Service (ReDoS) in lunary-ai/lunary — lunary-ai/lunary 7.5 -2025-03-20
CVE-2024-10955 ReDoS (Regular Expression Denial of Service) in gaizhenbiao/chuanhuchatgpt — gaizhenbiao/chuanhuchatgpt 7.5 -2025-03-20
CVE-2024-10624 Regular Expression Denial of Service (ReDoS) in gradio-app/gradio — gradio-app/gradio 7.5 -2025-03-20
CVE-2024-12391 Regular Expression Denial of Service (ReDoS) in binary-husky/gpt_academic — binary-husky/gpt_academic 7.5 -2025-03-20
CVE-2024-8789 Regular Expression Denial of Service (ReDoS) in lunary-ai/lunary — lunary-ai/lunary 7.5 -2025-03-20
CVE-2024-10550 Denial of Service by ReDOS in h2oai/h2o-3 — h2oai/h2o-3 7.5 -2025-03-20
CVE-2024-12388 Regular Expression Denial of Service (ReDoS) in binary-husky/gpt_academic — binary-husky/gpt_academic 7.5 -2025-03-20
CVE-2024-8764 Improper Authorization in lunary-ai/lunary — lunary-ai/lunary 7.5 -2025-03-20
CVE-2024-8763 Regular Expression Denial of Service (ReDoS) in lunary-ai/lunary — lunary-ai/lunary 7.5 -2025-03-20
CVE-2024-7779 ReDoS (Regular Expression Denial of Service) in danswer-ai/danswer — danswer-ai/danswer 7.5 -2025-03-20
CVE-2025-27789 Inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups — babel 6.2 Medium2025-03-11
CVE-2025-27220 Ruby 安全漏洞 — CGI 4.0 Medium2025-03-03
CVE-2024-54170 IBM EntireX denial of service — EntireX 5.5 Medium2025-02-27
CVE-2025-25290 @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking — request.js 5.3 Medium2025-02-14
CVE-2025-25289 @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking — request-error.js 5.3 Medium2025-02-14
CVE-2025-25288 @octokit/plugin-paginate-rest has a Regular Expression in iterator that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking — plugin-paginate-rest.js 5.3 Medium2025-02-14
CVE-2025-25285 @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking — endpoint.js 5.3 Medium2025-02-14
CVE-2025-25283 parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory — parse-duration 7.5 High2025-02-12
CVE-2025-25200 Koa has Inefficient Regular Expression Complexity — koa 7.5 -2025-02-12
CVE-2025-0367 Regular Expression Denial of Service (ReDoS) in Splunk Supporting Add-on for Active Directory (SA-ldapsearch) — Splunk Supporting Add-on for Active Directory 6.5 Medium2025-01-30
CVE-2024-41766 IBM Engineering Lifecycle Optimization - Publishing denial of service — Engineering Lifecycle Optimization Publishing 7.5 High2025-01-04
CVE-2024-52798 path-to-regexp Unpatched `path-to-regexp` ReDoS in 0.1.x — path-to-regexp 5.3 -2024-12-05
CVE-2024-54157 JetBrains YouTrack 安全漏洞 — YouTrack 4.3 Medium2024-12-04
CVE-2024-10270 Org.keycloak:keycloak-services: keycloak denial of service 6.5 Medium2024-11-25
CVE-2024-21539 ESLint Rewrite 安全漏洞 — @eslint/plugin-kit 7.5 High2024-11-19
CVE-2024-52524 ReDoS in Giskard Scan text perturbation — giskard 9.1AICriticalAI2024-11-14
CVE-2024-21538 cross-spawn 安全漏洞 — cross-spawn 7.5 High2024-11-08
CVE-2024-49761 REXML ReDoS vulnerability — rexml 7.5 -2024-10-28
CVE-2024-50574 JetBrains YouTrack 安全漏洞 — YouTrack 5.3 Medium2024-10-28

Vulnerabilities classified as CWE-1333 represent 259 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.