Description

Flag Forge is a Capture The Flag (CTF) platform. Versions 2.3.2 and below have a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint (/api/user/[username]). The application constructs a regular expression dynamically using unescaped user input (the username parameter). An attacker can exploit this by sending a specially crafted username containing regex meta-characters (e.g., deeply nested groups or quantifiers), causing the MongoDB regex engine to consume excessive CPU resources. This can lead to Denial of Service for other users. The issue is fixed in version 2.3.3. To workaround this issue, implement a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path.

INFO

Published Date :

2026-01-08T00:26:46.668Z

Last Modified :

2026-01-08T19:06:16.315Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-21868 vulnerability.

Vendors Products
Flagforgectf
  • Flagforge
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-21868.

URL Resource
https://github.com/FlagForgeCTF/flagForge/security/advisories/GHSA-949h-9824-xmcx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact