GHSA-c2g3-c4gc-w5wg: ReDoS in DotVVM routing

June 19, 2026

This impacts users which use multiple unconstrained route parameters not separated by a /. For instance, the following code is vulnerable:

var route = new DotvvmRoute("edit/{a}-{b}-{c}/done", null, "testpage", null, null, configuration);

var adversarialInput = "edit/" + new string('-', 32000);
route.IsMatch(adversarialInput, out _);

References

github.com/advisories/GHSA-c2g3-c4gc-w5wg
github.com/riganti/dotvvm/security/advisories/GHSA-c2g3-c4gc-w5wg
www.dotvvm.com/docs/4.0/pages/concepts/routing/parameters

Code Behaviors & Features

Detect and mitigate GHSA-c2g3-c4gc-w5wg with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →