CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-x4hg-hfwf-p9mw: @asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation

medium
Summary The HTMLInputElement.checkValidity() method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop. Fix Fixed in commit https://github.com/asymmetric-effort/NogginLessDom/commit/25a3cbac665fae5663f8b71c073b80c3152dbe7b on main. Added: - Pattern length limit (1024 characters) - Nested quantifier detection (hasNestedQuantifiers) that rejects patterns like (a+)+ before constructing the regex - Patterns exceeding limits are treated as non-matching (safe default)

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-x4hg-hfwf-p9mw

More from GitHub Security Advisories