tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability

Severity:: Medium

Description

A potential Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter.

Recommendation

Update the tarteaucitronjs package to the latest compatible version. Followings are version details:

Affected version(s): < 1.29.0
Patched version(s): 1.29.0

References

GHSA-q5f6-qxm2-mcqm
CVE-2026-22809
CWE-1333
CAPEC-310
OWASP 2021-A6

Related Issues

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - CVE-2025-15284
Mermaid does not properly sanitize architecture diagram iconText leading to XSS - CVE-2025-54880
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript - CVE-2025-48939
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367

Tags:: npm; tarteaucitronjs

Anything's wrong? Let us know Last updated on January 14, 2026