Published:2025年06月24日 Last Updated:2025年06月24日

JVN#21624250
Inefficient regular expressions in GROWI

Overview

GROWI provided by GROWI, Inc. uses inefficient regular expressions. Crafted input may cause a denial of service (DoS) condition.

Products Affected

GROWI versions prior to v7.1.6

Description

GROWI provided by GROWI, Inc. contains the following vulnerability.

Inefficient regular expression complexity (CWE-1333)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L Base Score 4.3
- CVE-2025-43880

Impact

A logged-in user may cause a denial of service (DoS) condition.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released the following version to address this vulnerability.

GROWI v7.1.6

Vendor Status

Vendor	Status	Last Update	Vendor Notes
GROWI, Inc.	Vulnerable	2025年06月24日

Vendor Link

GROWI, Inc. fix: Error when creating pages with deep hierarchy #9487

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Takanori Okamoto of FFRI Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert

JPCERT Reports

CERT Advisory

CPNI Advisory

TRnotes

CVE CVE-2025-43880

JVN iPedia JVNDB-2025-000042

JVN#21624250 Inefficient regular expressions in GROWI