redos
Safeguard articles tagged "redos" — guides, analysis, and best practices for software supply chain and application security.
36 articles
http-cache-semantics ReDoS vulnerability (CVE-2022-25881)
CVE-2022-25881 lets attacker-influenced HTTP responses trigger catastrophic regex backtracking in http-cache-semantics, hanging Node.js services. Here's how to detect and fix it.
Python setuptools package_index ReDoS (CVE-2022-40897)
CVE-2022-40897 is a ReDoS flaw in setuptools' package_index.py that can hang CI pipelines when parsing crafted index pages. Here's how to detect and fix it.
urllib3 regular expression denial of service (CVE-2021-33503)
A deep dive into CVE-2021-33503, the urllib3 ReDoS flaw in Python's core HTTP library, its real-world exposure, and how to remediate it.
Algorithmic complexity denial of service explained
Small inputs, big CPU spikes: how algorithmic complexity DoS vulnerabilities like ReDoS and hash flooding crash apps with a single request.
Regular expression injection explained
Regex injection lets attackers rewrite pattern logic or trigger ReDoS. See real CVEs, exploit examples, and how to detect and fix it in your code.
ReDoS: Regular Expression Denial of Service Attacks
ReDoS took down Cloudflare's global network for 27 minutes in 2019 and Stack Overflow in 2016. Here's how one bad regex causes an outage, and how to catch it first.
CVE-2017-16137: ReDoS in debug package
CVE-2017-16137 is a ReDoS flaw in the debug npm package that can hang Node.js apps on crafted input. Here's what's affected and how to fix it.
CVE-2020-28469: ReDoS in glob-parent
CVE-2020-28469 is a ReDoS flaw in glob-parent before 5.1.2 that can hang processes parsing crafted glob strings. Here's the risk, timeline, and fix.
CVE-2021-23343: ReDoS in path-parse
CVE-2021-23343 is a ReDoS vulnerability in path-parse before 1.0.7 that lets crafted path strings stall Node.js apps. Here's how it works and how to fix it.
CVE-2018-1000620: ReDoS in marked markdown parser
A ReDoS flaw in the marked Markdown parser (CVE-2018-1000620) let crafted input stall Node.js services. Here's the impact, fix, and how to catch it in your dependency tree.
CVE-2022-21680: ReDoS in marked via block token regexes
CVE-2022-21680: how a ReDoS in marked's block-tokenizer regexes could let attackers freeze Markdown-rendering services, plus affected versions, fix, and mitigation steps.
CVE-2022-21681: Second ReDoS flaw in marked
CVE-2022-21681 is a ReDoS flaw in marked's inline tokenizer that lets crafted Markdown hang parsing. What's affected, severity, and how to remediate.