Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CWE-1333 — Vulnerability Class 269

269 vulnerabilities classified as CWE-1333. AI Chinese analysis included.

CWE-1333 represents a software weakness where regular expressions exhibit inefficient, often exponential, worst-case computational complexity. This vulnerability is typically exploited through Regular Expression Denial of Service (ReDoS) attacks, where malicious actors craft specific input strings that trigger catastrophic backtracking within the regex engine. Such inputs force the processor to evaluate an excessive number of potential matches, consuming significant CPU resources and effectively halting application availability. To mitigate this risk, developers must prioritize regex optimization by avoiding nested quantifiers, minimizing ambiguity in pattern structures, and utilizing possessive quantifiers or atomic groups to prevent backtracking. Additionally, implementing strict input length limits and employing regex complexity analysis tools during the development lifecycle can help identify and eliminate inefficient patterns before deployment, ensuring robust application performance against adversarial inputs.

MITRE CWE Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (CPU)
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
Mitigations (4)
Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High
System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
ImplementationLimit the length of the input that the regular expression will process.
Effectiveness: Moderate
Examples (2)
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);
Bad · JavaScript
var test_string = "Bad characters: $@#"; var good_pattern  = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);
Good · JavaScript
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;
Bad · Perl
my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;
Good · Perl
CVE IDTitleCVSSSeverityPublished
CVE-2026-47138 Parse Server: Pre-authentication denial of service via client version header regex backtracking — parse-server--2026-06-12
CVE-2026-42567 Svelte: ReDoS in `<svelte:element>` Tag Validation — svelte--2026-06-09
CVE-2026-41848 Spring Framework Denial of Service via AntPathMatcher — Spring Framework 3.7 Low2026-06-09
CVE-2026-11478 kokke tiny-regex-c Pattern re.c matchstar redos — tiny-regex-c 3.3 Low2026-06-08
CVE-2026-45409 Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix — idna--2026-06-05
CVE-2026-10692 johnhuang316 code-index-mcp search_code_advanced is_safe_regex_pattern redos — code-index-mcp 4.3 Medium2026-06-02
CVE-2026-10691 wonderwhy-er DesktopCommanderMCP start_search search-manager.ts redos — DesktopCommanderMCP 4.3 Medium2026-06-02
CVE-2026-10291 Enderfga claw-orchestrator Session Grep Endpoint embedded-server.ts validateRegex redos — claw-orchestrator 4.3 Medium2026-06-01
CVE-2026-9496 pacote 安全漏洞 — pacote 7.5 High2026-05-26
CVE-2026-8159 multiparty vulnerable to ReDoS via filename parsing — multiparty 7.5 High2026-05-12
CVE-2026-33079 Mistune ReDoS in LINK_TITLE_RE allows denial of service with crafted Markdown titles — mistune 7.5AIHighAI2026-05-06
CVE-2026-41040 GROWI 安全漏洞 — GROWI 7.5AIHighAI2026-04-23
CVE-2026-40319 Giskard has a Regular Expression Denial of Service (ReDoS) in RegexMatching Check — giskard-oss 7.5AIHighAI2026-04-17
CVE-2026-5986 Zod jsVideoUrlParser util.js getTime redos — jsVideoUrlParser 5.3 Medium2026-04-09
CVE-2026-35041 ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification — fast-jwt 4.2 Medium2026-04-09
CVE-2026-35611 Addressable has a Regular Expression Denial of Service in Addressable templates — addressable 7.5 High2026-04-07
CVE-2026-35458 Gotenberg has a ReDoS via extraHttpHeaders scope feature — gotenberg 6.5AIMediumAI2026-04-07
CVE-2026-35213 Regular Expression Denial of Service (ReDoS) in @hapi/content HTTP header parsing — content 7.5AIHighAI2026-04-06
CVE-2026-34939 PraisonAI: ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools() — PraisonAI 6.5 Medium2026-04-03
CVE-2026-33671 Picomatch has a ReDoS vulnerability via extglob quantifiers — picomatch 7.5 High2026-03-26
CVE-2026-0967 Libssh: libssh: denial of service via inefficient regular expression processing — Red Hat Enterprise Linux 10 7.5 -2026-03-26
CVE-2026-4923 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards — path-to-regexp 5.9 Medium2026-03-26
CVE-2026-4867 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters — path-to-regexp 7.5 High2026-03-26
CVE-2026-4539 pygments archetype.py AdlLexer redos — pygments 3.3 Low2026-03-22
CVE-2026-22178 OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata — OpenClaw 6.5 Medium2026-03-18
CVE-2026-28356 ReDoS in multipart 1.3.0 - `parse_options_header()` — multipart 7.5 High2026-03-12
CVE-2026-30837 Elysia has a string URL format redos — elysia 7.5 High2026-03-10
CVE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery — parse-server 7.5AIHighAI2026-03-09
CVE-2025-10990 Rexml: rexml: denial of service via inefficient regex parsing 7.5 High2026-02-27
CVE-2026-3293 snowflakedb snowflake-jdbc JDBC URL SdkProxyRoutePlanner.java SdkProxyRoutePlanner redos — snowflake-jdbc 3.3 Low2026-02-27

Vulnerabilities classified as CWE-1333 represent 269 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.