VulnWatch VulnWatch
← Back to dashboard
High github · GHSA-c2g3-c4gc-w5wg

ReDoS in DotVVM routing

Published Jun 19, 2026 CVSS 0.0

Impact

This impacts users which use multiple unconstrained route parameters not separated by a /. For instance, the following code is vulnerable:

var route = new DotvvmRoute("edit/{a}-{b}-{c}/done", null, "testpage", null, null, configuration);

var adversarialInput = "edit/" + new string('-', 32000);
route.IsMatch(adversarialInput, out _);

Patches

DotVVM versions 4.3.15, 4.2.11 and 5.0.0-preview09 apply a 1 second timeout to route regex operations. When it is triggered, DotVVM permanently switches to using the .NET non-backtracking regex engine for this route. If non-backtracking is not supported by target runtime (< .NET 8.0), DotVVM returns HTTP 503 when the 1 second timeout is reached.

Workarounds

Avoid multiple unconstrained route parameters in one section not separated by a /. See for documentation of route parameter constraints. Even with the patched version we recommend doing this both as security hardening and to avoid ambiguity.

For instance, when we change the route URL to "edit/{a:alpha}-{b:alpha}-{c}/done", the problem disappears. If all available constraints are too restrictive, we can still use {a:regex([^-]*)} to forbid the -, which is enough to remove the mabiguity

Affected AI Products

adversarial
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.