CVE-2026-21868
ReDoS Vulnerability in Flag Forge User Profile API Causes DoS
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flagforge | flagforge-v2 | to 2.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the Flag Forge CTF platform versions 2.3.2 and below. It occurs because the application dynamically creates a regular expression from unescaped user input (the username parameter) in the user profile API endpoint. An attacker can send a specially crafted username containing regex meta-characters, causing the MongoDB regex engine to consume excessive CPU resources. This leads to a denial of service condition by making the system unavailable to other users. The issue is fixed in version 2.3.3 by escaping special characters before creating the regex. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a Denial of Service (DoS) on the Flag Forge platform. An attacker exploiting this flaw can make the system consume excessive CPU resources, which can degrade performance or make the service unavailable to legitimate users. This affects the availability of the application but does not impact confidentiality or integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for requests to the user profile API endpoint (/api/user/[username]) that contain regex meta-characters such as deeply nested groups or quantifiers in the username parameter. You can use network monitoring tools or web server logs to identify suspicious requests with these patterns. For example, using grep on access logs to find requests with regex meta-characters like '*', '+', '?', '(', ')', '{', '}', '[', ']', '|', '\'. A sample command to detect such requests in Apache logs could be: grep -E '/api/user/.*[\*\+\?\(\)\{\}\[\]\|\\]' /var/log/apache2/access.log [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to implement a Web Application Firewall (WAF) rule that blocks requests containing regex meta-characters in the URL path, specifically targeting the username parameter in the /api/user/[username] endpoint. This will prevent malicious regex patterns from reaching the application. The recommended long-term solution is to upgrade Flag Forge to version 2.3.3 or later, where the vulnerability is patched by escaping all special characters in the username input before constructing the regular expression. [1]