CWE-624
Executable Regular Expression Error
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
CVE-2024-41655 (GCVE-0-2024-41655)
Vulnerability from cvelistv5
Published
2024-07-23 14:49
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input. Version `5.9.14` contains a fix for the issue.
References
| URL | Tags | |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danocmx | node-tf2-item-format |
Version: >= 4.2.6, < 5.9.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:danocmx:node-tf2-item-format:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "node-tf2-item-format",
"vendor": "danocmx",
"versions": [
{
"lessThan": "5.9.14",
"status": "affected",
"version": "4.2.6",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41655",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:57:56.367784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T15:59:34.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-tf2-item-format",
"vendor": "danocmx",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.6, \u003c 5.9.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input. Version `5.9.14` contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-624",
"description": "CWE-624: Executable Regular Expression Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T14:49:34.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14"
}
],
"source": {
"advisory": "GHSA-8h55-q5qq-p685",
"discovery": "UNKNOWN"
},
"title": "TF2 Item Format Regular Expression Denial of Service vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41655",
"datePublished": "2024-07-23T14:49:34.078Z",
"dateReserved": "2024-07-18T15:21:47.481Z",
"dateUpdated": "2024-08-02T04:46:52.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-25237 (GCVE-0-2026-25237)
Vulnerability from cvelistv5
Published
2026-02-03 18:29
Modified
2026-02-04 20:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-624 - Executable Regular Expression Error
Summary
PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T20:21:43.501877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T20:21:50.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pearweb",
"vendor": "pear",
"versions": [
{
"status": "affected",
"version": "\u003c 1.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-624",
"description": "CWE-624: Executable Regular Expression Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T18:29:54.001Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23"
}
],
"source": {
"advisory": "GHSA-vhw6-hqh9-8r23",
"discovery": "UNKNOWN"
},
"title": "PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25237",
"datePublished": "2026-02-03T18:29:54.001Z",
"dateReserved": "2026-01-30T14:44:47.329Z",
"dateUpdated": "2026-02-04T20:21:50.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Implementation
Description:
- The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.
No CAPEC attack patterns related to this CWE.