CVE-2026-22809
ReDoS Vulnerability in tarteaucitron.js Cookie Banner Before
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amauric | tarteaucitron.js | to 1.29.0 (exc) |
| amauric | tarteaucitron.js | 1.29.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in tarteaucitron.js prior to version 1.29.0. It occurs because the code uses inefficient and unanchored regular expressions to validate the issuu_id parameter, which can cause excessive backtracking and high CPU usage when processing specially crafted input. This leads to a denial of service by exhausting system resources. The issue was fixed by replacing the vulnerable regex with a strictly anchored pattern that prevents this excessive backtracking. [1, 2]
How can this vulnerability impact me? :
The vulnerability can impact you by causing a denial of service condition, where the application becomes temporarily unavailable due to high CPU consumption triggered by malicious input in the issuu_id parameter. This affects the availability of the service but does not compromise confidentiality or integrity. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running a version of tarteaucitron.js prior to 1.29.0 that uses the vulnerable regular expressions for the issuu_id parameter. Since the vulnerability involves inefficient regex patterns causing high CPU usage, monitoring for unusually high CPU consumption when processing issuu_id inputs may indicate exploitation attempts. However, no specific detection commands are provided in the resources. You can check the tarteaucitron.js version in your environment to confirm if it is older than 1.29.0. For example, if you have access to the source code or package manager, you can run commands like `npm list tarteaucitron.js` or inspect the version in your deployed files. Additionally, monitoring logs or application behavior for performance degradation during issuu_id processing could help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade tarteaucitron.js to version 1.29.0 or later, where the vulnerability is fixed by replacing the vulnerable regular expressions with strictly anchored patterns that prevent ReDoS attacks. This update also removes legacy and potentially vulnerable code related to the Alexa service. Ensuring that only trusted users with high privileges can control the issuu_id parameter will also reduce risk, as exploitation requires high privileges. Applying the patch from the commit identified by SHA f0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52 is recommended. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability affects availability by potentially causing denial of service through excessive CPU consumption, but it does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data privacy and protection such as GDPR or HIPAA, which primarily concern confidentiality and integrity. However, availability issues could indirectly affect service reliability obligations under some regulations. [2]