CVE-2021-41115
- Source
- https://cve.org/CVERecord?id=CVE-2021-41115
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41115.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-41115
- Related
- Published
- 2021-10-07T23:15:08.027Z
- Modified
- 2026-03-15T22:42:57.145667Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should upgrade to the just-released Zulip 4.7, or
main. - References