Published:2025/06/24 Last Updated:2025/06/24
JVN#21624250
Inefficient regular expressions in GROWI
Overview
GROWI provided by GROWI, Inc. uses inefficient regular expressions. Crafted input may cause a denial of service (DoS) condition.
Products Affected
- GROWI versions prior to v7.1.6
Description
GROWI provided by GROWI, Inc. contains the following vulnerability.
- Inefficient regular expression complexity (CWE-1333)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Base Score 4.3
- CVE-2025-43880
Impact
A logged-in user may cause a denial of service (DoS) condition.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version to address this vulnerability.
- GROWI v7.1.6
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| GROWI, Inc. | Vulnerable | 2025/06/24 |
| Vendor | Link |
| GROWI, Inc. | fix: Error when creating pages with deep hierarchy #9487 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Takanori Okamoto of FFRI Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-43880 |
| JVN iPedia |
JVNDB-2025-000042 |