Skip to content

CVE-2025-5891 Medium Vulnerability #6086

New issue
New issue
Open
#6091
Open
CVE-2025-5891 Medium Vulnerability#6086
#6091
@mohitxroxx

Description

@mohitxroxx
mohitxroxx
opened on Mar 4, 2026

Vulnerability Type

Regular Expression Denial of Service (ReDoS): CVE-2025-5891

CWE Classifications

  • CWE-1333 – Inefficient Regular Expression Complexity: CWE-1333

  • CWE-400 – Uncontrolled Resource Consumption: CWE-400

Affected File

lib/tools/Config.js
https://github.com/Unitech/pm2/blob/master/lib/tools/Config.js

Problematic Code

Line 185

new RegExp(sch.regex).test(value)

Reproduce issue

Example of a vulnerable regex pattern:

const regex = /^(a+)+$/;

Attack input:

const attack = "a".repeat(50) + "X";

console.time("test");
regex.test(attack);
console.timeEnd("test");

As the number of repeated characters increases, execution time grows exponentially due to heavy backtracking.

Recommended Fix

  1. Add a maximum input length check before executing any regex validation.
  2. Cache compiled RegExp objects instead of recreating them dynamically.
  3. Wrap regex construction in a try/catch block to safely handle invalid patterns.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions