CVE-2026-21868

Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:flagforge:flagforge:*:*:*:*:*:*:*:*

History

20 Jan 2026, 18:47

Type	Values Removed	Values Added
References	~~() https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx -~~	() https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx - Vendor Advisory
First Time		Flagforge Flagforge flagforge
CPE		cpe:2.3:a:flagforge:flagforge::::::::

08 Jan 2026, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-08 01:15

Updated : 2026-01-20 18:47

NVD link : CVE-2026-21868

Mitre link : CVE-2026-21868

CVE.ORG link : CVE-2026-21868

JSON object : View

Products Affected

flagforge

flagforge

CWE

CWE-1333

Inefficient Regular Expression Complexity

7.5 /10