Primary

Context

GROWI Inefficient Regular Expression Complexity Leading to Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in GROWI, prior to version 7.1.6, due to inefficient regular expressions. This issue allows a logged-in user to create a condition that disrupts normal service.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, causing the application to become unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by a logged-in user who creates a page with a path that includes more than 130 consecutive slashes. This can be done either through the page tree or by using a permalink. GROWI will return an error message, but the application may become sluggish, making it impractical to create such a deep hierarchy under normal circumstances.

Remediation

Users are advised to update GROWI to version 7.1.6 or later.

Added: Jun 25, 2025, 6:24 AM

Updated: Jun 25, 2025, 6:24 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.2

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.8

remediation

7.7

relevance

0.2

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GROWI Inefficient Regular Expression Complexity Leading to Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

GROWI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating