## Juice Shop Codebase Exposes ReDoS Vulnerability in Profile Image Upload Route
A scheduled security scan has flagged a high-severity vulnerability in the OWASP Juice Shop project, a widely used web application security training platform. The automated CodeQL analysis identified a Polynomial Regular Expression Denial of Service (ReDoS) flaw within the `profileImageUrlUpload` route. With a CVSS score of 7.5, this vulnerability could allow an attacker to cause significant performance degradation or a complete denial of service by submitting a maliciously crafted input string.

The specific issue resides at line 19 in the file `routes/profileImageUrlUpload.ts`. The security finding, tagged as `js/polynomial-redos`, indicates that a regular expression processing user-controlled data is susceptible to catastrophic backtracking. The scanner's description notes the expression may run extremely slowly on input containing many repetitions of a specific character pattern ('a'), effectively tying up server resources and making the endpoint unresponsive to legitimate users.

This discovery places immediate scrutiny on the project's maintenance and security posture. As a deliberately vulnerable application used for security education, Juice Shop's own code hygiene is under the microscope. The presence of such a flaw in a core upload route—a common attack vector—highlights the persistent risk of ReDoS attacks in real-world applications. The automated alert, generated by a GitHub Actions workflow, underscores the critical role of continuous security scanning in modern development, even for training tools that model insecure code. The finding is now public in the project's issue tracker, requiring maintainers to review and remediate the code to prevent potential exploitation in training environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: ReDoS, CodeQL, Security Vulnerability, GitHub Actions, Web Application Security
- **Credibility**: unverified
- **Published**: 2026-04-02 04:27:06
- **ID**: 46582
- **URL**: https://whisperx.ai/en/intel/46582