目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-1333 类漏洞列表 270

CWE-1333 类弱点 270 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-1333 属于正则表达式复杂度漏洞,指产品使用了最坏情况下计算效率低下甚至呈指数级增长的表达式。攻击者通常通过构造特定的“灾难性回溯”输入,触发正则引擎的无限循环或极高资源消耗,从而实施拒绝服务攻击。开发者应避免使用嵌套量词或重叠子模式,采用非贪婪匹配、原子组或预编译优化,并限制输入长度,以确保正则表达式的执行效率与安全性。

MITRE CWE 官方描述
CWE:CWE-1333 低效的正则表达式复杂度 (Inefficient Regular Expression Complexity) 英文:产品使用的正则表达式在最坏情况下的计算复杂度低效,且可能呈指数级增长。
常见影响 (1)
AvailabilityDoS: Resource Consumption (CPU)
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
缓解措施 (4)
Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High
System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
ImplementationLimit the length of the input that the regular expression will process.
Effectiveness: Moderate
代码示例 (2)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;
Bad · Perl
my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;
Good · Perl
CVE ID标题CVSS风险等级Published
CVE-2026-45617 LiquidJS strip_html 过滤器 ReDoS 漏洞 — liquidjs 7.5 High2026-06-17
CVE-2026-47138 Parse Platform Parse Server 资源管理错误漏洞 — parse-server--2026-06-12
CVE-2026-42567 Svelte 安全漏洞 — svelte--2026-06-09
CVE-2026-41848 VMware Spring Framework 安全漏洞 — Spring Framework 3.7 Low2026-06-09
CVE-2026-11478 tiny-regex-c 资源管理错误漏洞 — tiny-regex-c 3.3 Low2026-06-08
CVE-2026-45409 Internationalized Domain Names in Applications 安全漏洞 — idna--2026-06-05
CVE-2026-10692 Code Index MCP 安全漏洞 — code-index-mcp 4.3 Medium2026-06-02
CVE-2026-10691 Desktop Commander MCP 安全漏洞 — DesktopCommanderMCP 4.3 Medium2026-06-02
CVE-2026-10291 Claw Orchestrator 安全漏洞 — claw-orchestrator 4.3 Medium2026-06-01
CVE-2026-9496 pacote 安全漏洞 — pacote 7.5 High2026-05-26
CVE-2026-8159 multiparty 安全漏洞 — multiparty 7.5 High2026-05-12
CVE-2026-33079 mistune 安全漏洞 — mistune 7.5AIHighAI2026-05-06
CVE-2026-41040 GROWI 安全漏洞 — GROWI 7.5AIHighAI2026-04-23
CVE-2026-40319 Giskard 安全漏洞 — giskard-oss 7.5AIHighAI2026-04-17
CVE-2026-5986 js-video-url-parser 安全漏洞 — jsVideoUrlParser 5.3 Medium2026-04-09
CVE-2026-35041 fast-jwt 安全漏洞 — fast-jwt 4.2 Medium2026-04-09
CVE-2026-35611 Addressable 安全漏洞 — addressable 7.5 High2026-04-07
CVE-2026-35458 Gotenberg 安全漏洞 — gotenberg 6.5AIMediumAI2026-04-07
CVE-2026-35213 @hapi/content 安全漏洞 — content 7.5AIHighAI2026-04-06
CVE-2026-34939 PraisonAI 安全漏洞 — PraisonAI 6.5 Medium2026-04-03
CVE-2026-33671 Picomatch 安全漏洞 — picomatch 7.5 High2026-03-26
CVE-2026-0967 libssh 安全漏洞 — Red Hat Enterprise Linux 10 7.5 -2026-03-26
CVE-2026-4923 Path-to-RegExp 安全漏洞 — path-to-regexp 5.9 Medium2026-03-26
CVE-2026-4867 Path-to-RegExp 安全漏洞 — path-to-regexp 7.5 High2026-03-26
CVE-2026-4539 Matthäus G. Chajdas pygments 安全漏洞 — pygments 3.3 Low2026-03-22
CVE-2026-22178 OpenClaw 安全漏洞 — OpenClaw 6.5 Medium2026-03-18
CVE-2026-28356 python-multipart 安全漏洞 — multipart 7.5 High2026-03-12
CVE-2026-30837 elysia 安全漏洞 — elysia 7.5 High2026-03-10
CVE-2026-30925 Parse Server 安全漏洞 — parse-server 7.5AIHighAI2026-03-09
CVE-2025-10990 Red Hat Satellite 安全漏洞 7.5 High2026-02-27

CWE-1333 是常见的弱点类别,本平台收录该类弱点关联的 270 条 CVE 漏洞。