uBlock Origin <=1.63.3b16: UI RegExp DoS via currentStateChanged
CVE-2025-4215 Published on May 2, 2025
gorhill uBlock Origin UI 1p-filters.js currentStateChanged redos
A vulnerability was found in gorhill uBlock Origin up to 1.63.3b16. It has been classified as problematic. Affected is the function currentStateChanged of the file src/js/1p-filters.js of the component UI. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.63.3b17 is able to address this issue. The patch is identified as eaedaf5b10d2f7857c6b77fbf7d4a80681d4d46c. It is recommended to upgrade the affected component.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is a ReDoS Vulnerability?
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:
CVE-2025-4215 has been classified to as a ReDoS vulnerability or weakness.
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2025-4215 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2025-4215
stack.watch emails you whenever new vulnerabilities are published in Ublockorigin Ublock Origin or Debian Linux. Just hit a watch button to start following.
Affected Versions
gorhill uBlock Origin Version 1.63.3b16 is affected by CVE-2025-4215Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.