minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions

A flaw was found in minimatch. A remote attacker could exploit this vulnerability by providing a specially crafted glob expression with nested unbounded quantifiers. This could lead to catastrophic backtracking in the V8 JavaScript engine, causing the application to become unresponsive and...

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

PT-2026-41778

Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

Regular Expression Denial of Service (ReDoS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the clientSDK parameter in the request-header parser. An attacker can exhaust...

feedparser-redos-poc

feedparser ReDoS — syncauthordetail Proof of Concept f...

CVE-2026-8159

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

DEBIAN-CVE-2026-8159

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159 multiparty vulnerable to ReDoS via filename parsing

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any...

CVE-2026-8159

CVE-2026-8159 affects multiparty versions 4.2.3 and older, where the Content-Disposition filename parameter parser is vulnerable to denial-of-service via regex backtracking. A crafted multipart upload with a long header value can cause the regex engine to backtrack for seconds, blocking the event...

PT-2026-39996

Name of the Vulnerable Software and Affected Versions multiparty versions prior to 4.3.0 Description A denial of service issue exists due to regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload containing a long header value can cause...

multiparty 安全漏洞

multiparty is a Node.js module developed by pillarjs for parsing HTTP multipart/form-data requests. Versions of multiparty 4.2.3 and earlier contained security vulnerabilities. These vulnerabilities stemmed from regular expression backtracking in the Content-Disposition filename parameter parser,...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerabilities in minimatch-3.1.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerabilities in minimatch-3.1.2.tgz Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in addressable-2.5.2.gem

Summary IBM Watson Discovery Cartridge affected by vulnerability in addressable-2.5.2.gem Vulnerability Details CVEID:CVE-2026-35611 DESCRIPTION: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the...

Allocation of Resources Without Limits or Throttling

Overview youtube-regex is a The correct Youtube video id regex! Regex done right! Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the regex param. An attacker can cause excessive resource consumption by supplying crafted input that...

Nokogiri CSS selector tokenizer has regular expression backtracking

Summary Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release: 1. String-literal tokenization on certain unterminated quoted-string input. 2...

GHSA-C4RQ-3M3G-8WGX Nokogiri CSS selector tokenizer has regular expression backtracking

Summary Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release: 1. String-literal tokenization on certain unterminated quoted-string input. 2...