CVE-2025-70030
Published: 09 March 2026
Summary
CVE-2025-70030 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Sunbird Sunbirded-Portal. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-70030 is a vulnerability corresponding to CWE-1333 (Inefficient Regular Expression Complexity, version 4.19) in Sunbird-Ed SunbirdEd-portal version 1.13.4. Published on 2026-03-09, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high-severity issue primarily impacting availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation triggers inefficient regular expression processing, leading to a denial-of-service condition through resource exhaustion, without compromising confidentiality or integrity.
Mitigation details are available in referenced resources, including a GitHub Gist at https://gist.github.com/zcxlighthouse/d80812b9d90683c0ac65db656ae3cfb0 and the project's repositories at https://github.com/Sunbird-Ed and https://github.com/Sunbird-Ed/SunbirdEd-portal. Security practitioners should consult these for patch information or workarounds specific to SunbirdEd-portal v1.13.4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208446
Vulnerability details
An issue pertaining to CWE-1333: Inefficient Regular Expression Complexity (4.19) was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS vulnerability (CWE-1333) in a public-facing web portal directly enables remote unauthenticated exploitation of application code to exhaust resources and deny service (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates identification, reporting, and correction of flaws like the inefficient regex in SunbirdEd-portal v1.13.4 to prevent DoS exploitation.
SC-5 enforces denial-of-service protections at entry points to block resource-exhausting regex inputs from unauthenticated remote attackers.
SC-6 protects resource availability by implementing controls to limit CPU and memory consumption triggered by malicious regex processing.