CVE-2026-21868
Unknown Unknown - Not Provided
ReDoS Vulnerability in Flag Forge User Profile API Causes DoS

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21868
EUVD
EUVD-2026-1664
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flagforge flagforge-v2 to 2.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Flag Forge CTF platform versions 2.3.2 and below. It occurs because the application dynamically creates a regular expression from unescaped user input (the username parameter) in the user profile API endpoint. An attacker can send a specially crafted username containing regex meta-characters, causing the MongoDB regex engine to consume excessive CPU resources. This leads to a denial of service condition by making the system unavailable to other users. The issue is fixed in version 2.3.3 by escaping special characters before creating the regex. [1]

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) on the Flag Forge platform. An attacker exploiting this flaw can make the system consume excessive CPU resources, which can degrade performance or make the service unavailable to legitimate users. This affects the availability of the application but does not impact confidentiality or integrity. [1]

Detection Guidance

This vulnerability can be detected by monitoring for requests to the user profile API endpoint (/api/user/[username]) that contain regex meta-characters such as deeply nested groups or quantifiers in the username parameter. You can use network monitoring tools or web server logs to identify suspicious requests with these patterns. For example, using grep on access logs to find requests with regex meta-characters like '*', '+', '?', '(', ')', '{', '}', '[', ']', '|', '\'. A sample command to detect such requests in Apache logs could be: grep -E '/api/user/.*[\*\+\?\(\)\{\}\[\]\|\\]' /var/log/apache2/access.log [1]

Mitigation Strategies

The immediate mitigation step is to implement a Web Application Firewall (WAF) rule that blocks requests containing regex meta-characters in the URL path, specifically targeting the username parameter in the /api/user/[username] endpoint. This will prevent malicious regex patterns from reaching the application. The recommended long-term solution is to upgrade Flag Forge to version 2.3.3 or later, where the vulnerability is patched by escaping all special characters in the username input before constructing the regular expression. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21868. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart