Cyber Resilience

CVE-2024-46242

High

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46242 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ctfd (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-46242 is a Regular expression Denial of Service (ReDoS) vulnerability in the validate_email function within CTFd/utils/validators/__init__.py of CTFd version 3.7.3. The flaw enables attackers to trigger excessive resource consumption by supplying a crafted string as an email address during user registration. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1333 (Inefficient Regular Expression Complexity).

Unauthenticated attackers with network access can exploit this vulnerability remotely and with low complexity, requiring no user interaction. By submitting a maliciously crafted email string to the registration endpoint, they induce catastrophic backtracking in the regular expression, resulting in high CPU usage and potential denial of service that disrupts service availability.

Advisories and further details are available via references including the CTFd website at http://ctfd.com and a GitHub gist at https://gist.github.com/salvatore-abello/4f01f3fa54672febc0a492a11a26592c, which may outline patches or workarounds for mitigation.

EU & UK References

Vulnerability details

An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

ReDoS in public-facing email validator directly enables application exploitation for endpoint DoS via crafted input causing CPU exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-70030Shared CWE-1333
CVE-2024-41766Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-27904Shared CWE-1333
CVE-2026-30925Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2026-1388Shared CWE-1333
CVE-2026-23897Shared CWE-1333

Affected Assets

Ctfd
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validating information inputs like email addresses at entry points, directly preventing ReDoS exploitation via crafted strings in the validate_email function.

prevent

SC-5 implements denial-of-service protections that limit effects of resource exhaustion attacks like ReDoS-induced high CPU usage during registration.

prevent

SI-2 mandates timely flaw remediation, directly addressing the inefficient regex vulnerability in CTFd's validate_email function to prevent DoS.

References