Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-5889

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-09 Jun, 2025 | 18:16
Updated At-11 Jun, 2025 | 10:39
Rejected At-
Credits

juliangruber brace-expansion index.js expand redos

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:09 Jun, 2025 | 18:16
Updated At:11 Jun, 2025 | 10:39
Rejected At:
▼CVE Numbering Authority (CNA)
juliangruber brace-expansion index.js expand redos

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Affected Products
Vendor
juliangruber
Product
brace-expansion
Versions
Affected
  • 1.1.0
  • 1.1.1
  • 1.1.2
  • 1.1.3
  • 1.1.4
  • 1.1.5
  • 1.1.6
  • 1.1.7
  • 1.1.8
  • 1.1.9
  • 1.1.10
  • 1.1.11
  • 2.0.0
  • 2.0.1
  • 3.0
  • 4.0
Unaffected
  • 1.1.12
  • 2.0.2
  • 3.0.1
  • 4.0.1
Problem Types
TypeCWE IDDescription
CWECWE-1333Inefficient Regular Expression Complexity
CWECWE-400Resource Consumption
Type: CWE
CWE ID: CWE-1333
Description: Inefficient Regular Expression Complexity
Type: CWE
CWE ID: CWE-400
Description: Resource Consumption
Metrics
VersionBase scoreBase severityVector
4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
3.03.1LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2.02.1N/A
AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Version: 3.0
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Version: 2.0
Base score: 2.1
Base severity: N/A
Vector:
AV:N/AC:H/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
mmmsssttt (VulDB User)
analyst
tgerbet_enalean (VulDB User)
Timeline
EventDate
Advisory disclosed2025-06-09 00:00:00
VulDB entry created2025-06-09 02:00:00
VulDB entry last update2025-06-11 12:37:04
Event: Advisory disclosed
Date: 2025-06-09 00:00:00
Event: VulDB entry created
Date: 2025-06-09 02:00:00
Event: VulDB entry last update
Date: 2025-06-11 12:37:04
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/?id.311660
vdb-entry
technical-description
https://vuldb.com/?ctiid.311660
signature
permissions-required
https://vuldb.com/?submit.585717
third-party-advisory
https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
exploit
https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
issue-tracking
patch
https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1
patch
Hyperlink: https://vuldb.com/?id.311660
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/?ctiid.311660
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/?submit.585717
Resource:
third-party-advisory
Hyperlink: https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
Resource:
exploit
Hyperlink: https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
Resource:
issue-tracking
patch
Hyperlink: https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:09 Jun, 2025 | 19:15
Updated At:12 Jun, 2025 | 16:06

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.02.3LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.13.1LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Secondary2.02.1LOW
AV:N/AC:H/Au:S/C:N/I:N/A:P
Type: Secondary
Version: 4.0
Base score: 2.3
Base severity: LOW
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 3.1
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Type: Secondary
Version: 2.0
Base score: 2.1
Base severity: LOW
Vector:
AV:N/AC:H/Au:S/C:N/I:N/A:P
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-400Secondarycna@vuldb.com
CWE-1333Secondarycna@vuldb.com
CWE ID: CWE-400
Type: Secondary
Source: cna@vuldb.com
CWE ID: CWE-1333
Type: Secondary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466cna@vuldb.com
N/A
https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5cna@vuldb.com
N/A
https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1cna@vuldb.com
N/A
https://vuldb.com/?ctiid.311660cna@vuldb.com
N/A
https://vuldb.com/?id.311660cna@vuldb.com
N/A
https://vuldb.com/?submit.585717cna@vuldb.com
N/A
Hyperlink: https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/juliangruber/brace-expansion/releases/tag/v4.0.1
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?ctiid.311660
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?id.311660
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/?submit.585717
Source: cna@vuldb.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

14Records found
CVE-2026-45149
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-Not Assigned
Published-29 May, 2026 | 19:55
Updated-29 May, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
brace-expansion: Large numeric range defeats documented `max` DoS protection

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. From 5.0.0 to before 5.0.6, the max option was being applied too late. When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. This vulnerability is fixed in 5.0.6.

Action-Not Available
Vendor-juliangruber
Product-brace-expansion
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-33750
Matching Score-6
Assigner-GitHub, Inc.
ShareView Details
Matching Score-6
Assigner-GitHub, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.02% / 7.20%
||
7 Day CHG~0.00%
Published-27 Mar, 2026 | 14:04
Updated-22 Apr, 2026 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
brace-expansion: Zero-step sequence causes process hang and memory exhaustion

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

Action-Not Available
Vendor-juliangruberjuliangruber
Product-brace-expansionbrace-expansion
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2021-39938
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-3.1||LOW
EPSS-0.14% / 33.49%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 15:47
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2023-5876
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.12% / 30.34%
||
7 Day CHG~0.00%
Published-02 Nov, 2023 | 08:26
Updated-05 Sep, 2024 | 18:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Regex DoS from a malicious server enrolled in Desktop

Mattermost fails to properly validate a RegExp built off the server URL path, allowing an attacker in control of an enrolled server to mount a Denial Of Service.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_desktopMattermost Desktop
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-6762
Matching Score-4
Assigner-Eclipse Foundation
ShareView Details
Matching Score-4
Assigner-Eclipse Foundation
CVSS Score-3.1||LOW
EPSS-0.56% / 68.68%
||
7 Day CHG~0.00%
Published-14 Oct, 2024 | 15:07
Updated-03 Nov, 2025 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Jetty PushSessionCacheFilter can cause remote DoS attacks

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

Action-Not Available
Vendor-Eclipse Foundation AISBL
Product-jettyJetty
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-47003
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.48% / 65.55%
||
7 Day CHG~0.00%
Published-26 Sep, 2024 | 08:05
Updated-26 Sep, 2024 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DoS via non-string message using permalink embed

Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to validate that the message of the permalink post is a string, which allows an attacker to send a non-string value as the message of a permalink post and crash the frontend.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-3257
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.40% / 61.16%
||
7 Day CHG~0.00%
Published-23 Sep, 2022 | 14:13
Updated-06 Dec, 2024 | 23:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-side Denial of Service while processing a specifically crafted GIF file

Mattermost version 7.1.x and earlier fails to sufficiently process a specifically crafted GIF file when it is uploaded while drafting a post, which allows authenticated users to cause resource exhaustion while processing the file, resulting in server-side Denial of Service.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2024-6434
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-3.1||LOW
EPSS-0.09% / 25.02%
||
7 Day CHG~0.00%
Published-04 Jul, 2024 | 08:32
Updated-08 Apr, 2026 | 18:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Premium Addons for Elementor <= 4.10.35 - Regular Expressions Denial of Service

The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources.

Action-Not Available
Vendor-leap13leap13
Product-premium_addons_for_elementorPremium Addons for Elementor – Powerful Elementor Templates & Widgets
CWE ID-CWE-1333
Inefficient Regular Expression Complexity
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2022-3147
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-1.18% / 79.04%
||
7 Day CHG~0.00%
Published-09 Sep, 2022 | 14:39
Updated-06 Dec, 2024 | 23:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-side Denial of Service while processing a specifically crafted JPEG file

Mattermost version 7.0.x and earlier fails to sufficiently limit the in-memory sizes of concurrently uploaded JPEG images, which allows authenticated users to cause resource exhaustion on specific system configurations, resulting in server-side Denial of Service.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-28053
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.10% / 26.99%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 09:08
Updated-13 Dec, 2024 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Resource Exhaustion via the Invitation Feature

Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2024-21231
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-3.1||LOW
EPSS-0.25% / 48.77%
||
7 Day CHG~0.00%
Published-15 Oct, 2024 | 19:52
Updated-03 Nov, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Server product of Oracle MySQL (component: Client programs). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L).

Action-Not Available
Vendor-Oracle Corporation
Product-mysqlMySQL Server
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-7016
Matching Score-4
Assigner-Elastic
ShareView Details
Matching Score-4
Assigner-Elastic
CVSS Score-4.8||MEDIUM
EPSS-0.35% / 57.88%
||
7 Day CHG~0.00%
Published-27 Jul, 2020 | 18:00
Updated-04 Aug, 2024 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

Action-Not Available
Vendor-Oracle CorporationElasticsearch BV
Product-communications_cloud_native_core_network_function_cloud_native_environmentkibanapeoplesoft_enterprise_peopletoolscommunications_billing_and_revenue_managementKibana
CWE ID-CWE-185
Incorrect Regular Expression
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2024-22091
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-3.1||LOW
EPSS-0.14% / 33.57%
||
7 Day CHG~0.00%
Published-26 Apr, 2024 | 08:24
Updated-12 May, 2025 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Excessive resource consumption due to lack to request path size limits

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermostmattermost_servermattermost
CWE ID-CWE-400
Uncontrolled Resource Consumption
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling
CVE-2021-39914
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-3.1||LOW
EPSS-0.18% / 38.84%
||
7 Day CHG~0.00%
Published-04 Nov, 2021 | 22:39
Updated-04 Aug, 2024 | 02:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-400
Uncontrolled Resource Consumption
Details not found