Inefficient Regular Expression Complexity Affecting kibana-9.4-advanced package, versions <9.4.3-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

Social Trends
EPSS
0.39% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-KIBANA94ADVANCED-17769387
  • published2 Jul 2026
  • disclosed17 Jun 2026

Introduced: 17 Jun 2026

NewCVE-2026-45617  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

Upgrade Minimos:latest kibana-9.4-advanced to version 9.4.3-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kibana-9.4-advanced package and not the kibana-9.4-advanced package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, the built-in strip_html filter uses a regex containing four flawed lazy-quantified alternatives, leading to ReDoS via quadratic backtracking. When the input contains many <script, <style, or <!-- opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the Node.js event loop. A single ~350 KB request ('<script'.repeat(50000)) stalls the process for ~10 seconds; cost grows quadratically with input size. The default memoryLimit: Infinity does not bound regex CPU, and even when configured strip_html only charges str.length to the limit — the regex itself runs unbounded. A single unauthenticated request containing crafted untrusted input can cause severe event-loop blocking and CPU amplification that saturates Node.js workers while bypassing memoryLimit protections. This issue has been fixed in version 10.26.0.