ByteOS Network

Vulnerability Details :

CVE-2024-45338

Assigner-Go

Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc

Published At-18 Dec, 2024 | 20:38

Updated At-21 Feb, 2025 | 18:03

Non-linear parsing of case-insensitive content in golang.org/x/net/html

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Go

Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc

Published At:18 Dec, 2024 | 20:38

Updated At:21 Feb, 2025 | 18:03

▼CVE Numbering Authority (CNA)

Non-linear parsing of case-insensitive content in golang.org/x/net/html

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Affected Products

Vendor

golang.org/x/net

Product

golang.org/x/net/html

Collection URL

https://pkg.go.dev

Package Name

golang.org/x/net/html

Program Routines

parseDoctype
htmlIntegrationPoint
inTableIM
inBodyIM
Parse
ParseFragment
ParseFragmentWithOptions
ParseWithOptions

Default Status

unaffected

Versions

Affected

From 0 before 0.33.0 (semver)

Problem Types

Type	CWE ID	Description
N/A	N/A	CWE-405: Asymmetric Resource Consumption (Amplification)

Type: N/A

CWE ID: N/A

Description: CWE-405: Asymmetric Resource Consumption (Amplification)

Credits

Guido Vranken

References

Hyperlink	Resource
https://go.dev/cl/637536	N/A
https://go.dev/issue/70906	N/A
https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ	N/A
https://pkg.go.dev/vuln/GO-2024-3333	N/A

Hyperlink: https://go.dev/cl/637536

Resource: N/A

Hyperlink: https://go.dev/issue/70906

Resource: N/A

Hyperlink: https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ

Resource: N/A

Hyperlink: https://pkg.go.dev/vuln/GO-2024-3333

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CISA ADP Vulnrichment

Problem Types

Type	CWE ID	Description
CWE	CWE-1333	CWE-1333 Inefficient Regular Expression Complexity

Type: CWE

CWE ID: CWE-1333

Description: CWE-1333 Inefficient Regular Expression Complexity

Metrics

Version	Base score	Base severity	Vector
3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Metrics Other Info

2. CVE Program Container

References

Hyperlink	Resource
https://security.netapp.com/advisory/ntap-20250221-0001/	N/A

Hyperlink: https://security.netapp.com/advisory/ntap-20250221-0001/

Resource: N/A

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@golang.org

Published At:18 Dec, 2024 | 21:15

Updated At:21 Feb, 2025 | 18:15

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Type: Secondary

Version: 3.1

Base score: 5.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CWE ID	Type	Source
CWE-1333	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

CWE ID: CWE-1333

Type: Secondary

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://go.dev/cl/637536	security@golang.org	N/A
https://go.dev/issue/70906	security@golang.org	N/A
https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ	security@golang.org	N/A
https://pkg.go.dev/vuln/GO-2024-3333	security@golang.org	N/A
https://security.netapp.com/advisory/ntap-20250221-0001/	af854a3a-2127-422b-91ae-364da2661108	N/A

Hyperlink: https://go.dev/cl/637536

Source: security@golang.org

Resource: N/A

Hyperlink: https://go.dev/issue/70906

Source: security@golang.org

Resource: N/A

Hyperlink: https://groups.google.com/g/golang-announce/c/wSCRmFnNmPA/m/Lvcd0mRMAwAJ

Source: security@golang.org

Resource: N/A

Hyperlink: https://pkg.go.dev/vuln/GO-2024-3333

Source: security@golang.org

Resource: N/A

Hyperlink: https://security.netapp.com/advisory/ntap-20250221-0001/

Source: af854a3a-2127-422b-91ae-364da2661108

Resource: N/A

Similar CVEs

56Records found

CVE-2024-45813

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-5.3||MEDIUM

EPSS-0.08% / 25.05%

7 Day CHG~0.00%

Published-18 Sep, 2024 | 16:47

Updated-20 Sep, 2024 | 12:30

ReDoS vulnerability in multiparametric routes in find-my-way

find-my-way is a fast, open source HTTP router, internally using a Radix Tree (aka compact Prefix Tree), supports route params, wildcards, and it's framework independent. A bad regular expression is generated any time one has two parameters within a single segment, when adding a `-` at the end, like `/:a-:b-`. This may cause a denial of service in some instances. Users are advised to update to find-my-way v8.2.2 or v9.0.1. or subsequent versions. There are no known workarounds for this issue.

Vendor-delvedor

Product-find-my-way

CWE ID-CWE-1333

Inefficient Regular Expression Complexity

CVE-2017-20162

Matching Score-4

Assigner-VulDB

View Details

Matching Score-4

Assigner-VulDB

CVSS Score-4.3||MEDIUM

EPSS-0.03% / 6.38%

7 Day CHG~0.00%

Published-05 Jan, 2023 | 11:49

Updated-05 Aug, 2024 | 21:45

vercel ms index.js parse redos

A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The patch is named caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.

Vendor-vercel vercel

Product-ms ms

CWE ID-CWE-1333

Inefficient Regular Expression Complexity

CVE-2024-25126

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-5.3||MEDIUM

EPSS-0.23% / 46.04%

7 Day CHG~0.00%

Published-28 Feb, 2024 | 23:28

Updated-14 Feb, 2025 | 15:51

Rack ReDos in content type parsing (2nd degree polynomial)

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

Vendor-rack rack rack_project Debian GNU/Linux

Product-debian_linux rack rack rack

CWE ID-CWE-1333

Inefficient Regular Expression Complexity

CVE-2024-21503

Matching Score-4

Assigner-Snyk

View Details

Matching Score-4

Assigner-Snyk

CVSS Score-5.3||MEDIUM

EPSS-0.06% / 18.89%

7 Day CHG~0.00%

Published-19 Mar, 2024 | 05:00

Updated-01 Aug, 2024 | 22:20

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Vendor-n/a Python Software Foundation

Product-black black

CWE ID-CWE-1333

Inefficient Regular Expression Complexity

CWE ID-CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

CVE-2022-3514

Matching Score-4

Assigner-GitLab Inc.

View Details

Matching Score-4

Assigner-GitLab Inc.

CVSS Score-4.3||MEDIUM

EPSS-0.07% / 21.39%

7 Day CHG~0.00%

Published-12 Jan, 2023 | 00:00

Updated-08 Apr, 2025 | 15:55

An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser.

Vendor-GitLab Inc.

Product-gitlab GitLab

CWE ID-CWE-1333

Inefficient Regular Expression Complexity

CVE-2024-50574

Matching Score-4

Assigner-JetBrains s.r.o.

View Details

Matching Score-4

Assigner-JetBrains s.r.o.

CVSS Score-5.3||MEDIUM

EPSS-0.01% / 0.53%

7 Day CHG~0.00%

Published-28 Oct, 2024 | 12:55

Updated-29 Oct, 2024 | 17:16

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality

Vendor-JetBrains s.r.o.

Product-youtrack YouTrack

CWE ID-CWE-1333

Inefficient Regular Expression Complexity

CVE-2024-45338

Credits

Non-linear parsing of case-insensitive content in golang.org/x/net/html

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs