Description
Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.
Published: 2026-06-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Securly Chrome Extension version 3.0.7 retrieves a configuration file over an unsecured HTTP connection and uses the server‑supplied string to build JavaScript regular expressions through new RegExp() without limiting their complexity. An attacker who can manipulate the on‑path traffic can inject specially crafted patterns that trigger catastrophic backtracking. This leads to a denial of service by exhausting CPU resources for all browsing sessions that load the extension.

Affected Systems

Securly Chrome Extension version 3.0.7 is affected. No other versions were identified.

Risk and Exploitability

The vulnerability is a client‑side denial of service that requires control over the HTTP stream to inject malicious regex expressions. Because the attack occurs on the user's browser, it is a local‑machine threat that can impact any user with the vulnerable extension installed. The CVSS score is not provided in the supplied data, and EPSS is not available; the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the possibility of triggering an application‑level outage makes it a medium‑to‑high risk until vendor mitigation is released.

Generated by OpenCVE AI on June 3, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or uninstall the Securly Chrome Extension until a patched version is released.
  • Block network connections to the domain that serves config.json from the extension to prevent downloading malicious patterns.
  • Monitor browser usage for CPU spikes or DoS symptoms and apply the vendor’s patch as soon as it becomes available.

Generated by OpenCVE AI on June 3, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://kb.cert.org/vuls/id/595768 cve-icon cve-icon
History

Wed, 03 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 03 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.
Title CVE-2026-8888
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-06-03T18:18:13.249Z

Reserved: 2026-05-18T20:40:05.298Z

Link: CVE-2026-8888

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-03T19:16:39.807

Modified: 2026-06-03T19:16:39.807

Link: CVE-2026-8888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T20:30:36Z

Weaknesses