Description
Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
Published: 2026-01-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Flag Forge versions 2.3.2 and below construct a regular expression directly from the username supplied to the user profile API endpoint. This dynamic, unescaped pattern allows an attacker to send a crafted username containing a large number of nested or quantified groups, causing the MongoDB regular‑expression engine to consume excessive CPU time. The resulting denial of service can degrade performance or bring the service to a halt for other users. The weakness is identified as CWE‑1333, a regular expression denial of service.

Affected Systems

The affected product is FlagForge CTF: FlagForge. Any deployment running version 2.3.2 or earlier is vulnerable. The issue is fixed in version 2.3.3; older versions lack the remediation and are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact on availability. The EPSS score is <1%, suggesting that at the time of analysis the likelihood of exploitation is very low but non‑zero. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by sending a specially crafted HTTP request targeting the /api/user/[username] endpoint, where the [username] component contains regex meta‑characters. This request forces the server to perform an expensive pattern match, consuming CPU resources and potentially disrupting service for legitimate users.

Generated by OpenCVE AI on April 18, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FlagForge to version 2.3.3 or later to eliminate the vulnerable regular‑expression construction.
  • Configure a Web Application Firewall rule that rejects or blocks URLs containing regex meta‑characters such as parentheses, braces, or quantifiers before they reach the application.
  • Implement input validation or sanitization for the username parameter, enforce a strict alphanumeric format, and consider rate limiting or monitoring CPU usage to detect abnormal regex processing during ongoing operations.

Generated by OpenCVE AI on April 18, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Flagforge
Flagforge flagforge
CPEs cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:*
Vendors & Products Flagforge
Flagforge flagforge

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Flagforgectf
Flagforgectf flagforge
Vendors & Products Flagforgectf
Flagforgectf flagforge

Thu, 08 Jan 2026 00:30:00 +0000

Type Values Removed Values Added
Description Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.
Title Flag Forge has ReDoS Vulnerability in User Profile Lookup API
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Flagforge Flagforge
Flagforgectf Flagforge
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T19:06:16.315Z

Reserved: 2026-01-05T16:44:16.368Z

Link: CVE-2026-21868

cve-icon Vulnrichment

Updated: 2026-01-08T19:06:12.384Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T01:15:55.483

Modified: 2026-01-20T18:47:56.220

Link: CVE-2026-21868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses