ROS-20260410-73-0011

Vulnerability in libssh related to the use of regular expression with inefficient computational complexity. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Regular Expression Denial of Service (ReDoS)

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options when used with RegExp objects and RegExp is configured with nest...

fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification

⚠️ IMPORTANT CLARIFICATIONS Affected Configurations This vulnerability ONLY affects applications that: - Use RegExp objects not strings in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options - Configure patterns susceptible to catastrophic backtracking - Example: allowedAud...

GHSA-3J8V-CGW4-2G6Q fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Impact Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt...

CVE-2026-35040

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

CVE-2026-35041

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35041

The CVE affects fast-jwt versions 5.0.0 through 6.2.0 where allowedAud verification uses a RegExp. The attacker-controlled aud claim, when matched against the provided RegExp, can trigger catastrophic backtracking in the JavaScript engine, causing CPU exhaustion during token verification. This vu...

CVE-2026-35041

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35041 ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

CVE-2026-35040 fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

SUSE-SU-2026:1232-1 Security update for cockpit

This update for cockpit fixes the following issues: - CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process bsc1257836. - CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive...

Regular Expression Denial Of Service (ReDoS)

minimatch is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient handling of multiple consecutive wildcards in glob patterns, leading to exponential backtracking in regex evaluation, which allows an attacker to cause significant performance degradatio...

Regular Expression Denial Of Service (ReDoS)

minimatch is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to nested extglob patterns generating regex with unbounded quantifiers, which allows an attacker to trigger catastrophic backtracking via crafted patterns and inputs, leading to significant performance...

PT-2026-31621

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are statef...

PT-2026-31622

fast-jwt provides fast JSON Web Token JWT implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the...

minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

Regular Expression Denial Of Service (ReDoS)

minimatch is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to unbounded recursive processing in matchOne when handling multiple non-adjacent GLOBSTAR patterns, which allows an attacker to supply crafted glob inputs that significantly delay execution and block...

minimatch: minimatch: Denial of Service via specially crafted glob patterns

A flaw was found in minimatch. A remote attacker could exploit this Regular Expression Denial of Service ReDoS vulnerability by providing a specially crafted glob pattern. This pattern, containing numerous consecutive wildcard characters, causes excessive processing and exponential backtracking i...

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Summary The Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters ;, |, $, , , , etc. to pass through into...