Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1333 — Vulnerability Class 259

259 vulnerabilities classified as CWE-1333. AI Chinese analysis included.

CWE-1333 represents a software weakness where regular expressions exhibit inefficient, often exponential, worst-case computational complexity. This vulnerability is typically exploited through Regular Expression Denial of Service (ReDoS) attacks, where malicious actors craft specific input strings that trigger catastrophic backtracking within the regex engine. Such inputs force the processor to evaluate an excessive number of potential matches, consuming significant CPU resources and effectively halting application availability. To mitigate this risk, developers must prioritize regex optimization by avoiding nested quantifiers, minimizing ambiguity in pattern structures, and utilizing possessive quantifiers or atomic groups to prevent backtracking. Additionally, implementing strict input length limits and employing regex complexity analysis tools during the development lifecycle can help identify and eliminate inefficient patterns before deployment, ensuring robust application performance against adversarial inputs.

MITRE CWE Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
Mitigations (4)
Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High
System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
ImplementationLimit the length of the input that the regular expression will process.
Effectiveness: Moderate
Examples (2)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;
Bad · Perl
my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2020-36649 mholt PapaParse papaparse.js redos — PapaParse 3.5 Low2023-01-11
CVE-2018-25074 Prestaul skeemas base.js redos — skeemas 3.5 Low2023-01-11
CVE-2017-20165 debug-js debug node.js useColors redos — debug 3.5 Low2023-01-09
CVE-2021-4306 cronvel terminal-kit redos — terminal-kit 3.5 Low2023-01-07
CVE-2017-20162 vercel ms index.js parse redos — ms 4.3 Medium2023-01-05
CVE-2021-4305 Woorank robots-txt-guard patterns.js makePathPattern redos — robots-txt-guard 3.5 Low2023-01-05
CVE-2022-23548 Discourse 跨站脚本漏洞 — discourse 6.5 Medium2023-01-05
CVE-2023-22467 luxon.js inefficient regular expression complexity vulnerability — luxon 7.5 High2023-01-04
CVE-2021-4299 cronvel string-kit naturalSort.js naturalSort redos — string-kit 4.3 Medium2023-01-02
CVE-2018-25061 rgb2hex redos — rgb2hex 4.3 Medium2022-12-31
CVE-2018-25049 email-existence index.js redos — email-existence 3.0 Low2022-12-27
CVE-2015-10005 markdown-it html_re.js redos — markdown-it 3.5 Low2022-12-27
CVE-2022-23517 Inefficient Regular Expression Complexity in rails-html-sanitizer — rails-html-sanitizer 7.5 High2022-12-14
CVE-2022-23514 Inefficient Regular Expression Complexity in Loofah — loofah 7.5 High2022-12-14
CVE-2022-42964 Exponential ReDoS in pymatgen leads to denial of service — pymatgen 5.9 Medium2022-11-09
CVE-2022-42965 Exponential ReDoS in snowflake-connector-python leads to denial of service — snowflake-connector-python 3.7 Low2022-11-09
CVE-2022-42966 Exponential ReDoS in cleo leads to denial of service — cleo 5.9 Medium2022-11-09
CVE-2022-34402 Dell Wyse ThinOS 安全漏洞 — Wyse Proprietary OS (Modern ThinOS) 6.8 Medium2022-10-10
CVE-2022-34428 Dell Hybrid Client 安全漏洞 — Dell Hybrid Client (DHC) 5.0 Medium2022-09-30
CVE-2022-36064 Shescape Inefficient Regular Expression Complexity vulnerability — shescape 5.9 Medium2022-09-06
CVE-2022-29158 Regular Expression Denial of Service (ReDoS) vulnerability in Apache OFBiz — Apache OFBiz 7.5 -2022-09-02
CVE-2021-43309 ReDoS in uri-template-lite URI.expand function — uri-template-lite 5.9 Medium2022-08-24
CVE-2022-1930 ReDoS in eth-account encode_structured_data function — eth-account 5.9 Medium2022-08-22
CVE-2022-2596 Inefficient Regular Expression Complexity in node-fetch/node-fetch — node-fetch/node-fetch 5.9 Medium2022-08-01
CVE-2022-31147 jquery-validation ReDoS in url2 due to incomplete fix of CVE-2021-43306 — jquery-validation 7.5 High2022-07-14
CVE-2022-31781 Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022) — Apache Tapestry 7.5 -2022-07-13
CVE-2022-1929 Exponential ReDoS in devcert — devcert 5.9 Medium2022-06-01
CVE-2021-43308 Exponential ReDoS in markdown-link-extractor — markdown-link-extractor 5.9 Medium2022-06-01
CVE-2021-43307 Exponential ReDoS in semver-regex — semver-regex 5.9 Medium2022-06-01
CVE-2021-43306 Exponential ReDoS in jquery-validation — jquery-validation 5.9 Medium2022-06-01

Vulnerabilities classified as CWE-1333 represent 259 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.