Primary

Context

GROWI Regular Expression Denial-of-Service Vulnerability

Vulnerability

Patched

A regular expression denial-of-service (ReDoS) vulnerability has been identified in GROWI, a product of GROWI, Inc. This issue affects GROWI versions through 7.5.0. The vulnerability arises from the User-Agent parsing process, which lacks proper input length restrictions. As a result, an unauthenticated attacker can send crafted long strings that exhaust the server's CPU resources, causing a significant slowdown or complete unresponsiveness of the service. This denial-of-service condition can also delay or timeout requests from other users accessing the service simultaneously.

Impact

Exploitation of this vulnerability allows for a denial-of-service condition, where the server becomes unresponsive or significantly slows down, causing timeouts for users' requests. This disruption can affect multiple users at once, depending on the server's resource management.

Remediation

Users are advised to update GROWI to version 7.5.1 or later. The updated version can be downloaded from GitHub or Docker Hub.

Added: Apr 23, 2026, 7:19 AM

Updated: Apr 23, 2026, 7:19 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

6.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

6.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GROWI Regular Expression Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

GROWI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating