CVE-2026-21868 is a Regular Expression Denial of Service (ReDoS) vulnerability classified under CWE-1333, found in the FlagForgeCTF platform versions prior to 2.3.3. The vulnerability exists in the user profile API endpoint (/api/user/[username]) where the application dynamically constructs a regular expression from the username parameter without escaping regex meta-characters. This allows an attacker to submit specially crafted usernames containing complex or deeply nested regex constructs such as nested groups or quantifiers. When the backend MongoDB regex engine processes these malicious inputs, it experiences excessive CPU load due to the inefficient evaluation of the crafted regular expression. This resource exhaustion can degrade or completely deny service to legitimate users by overwhelming server processing capabilities. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the CVSS v3.1 score of 7.5 (high severity) reflects the potential for impactful denial of service attacks. The issue is resolved in FlagForgeCTF version 2.3.3. As an interim mitigation, deploying Web Application Firewall (WAF) rules to detect and block requests containing regex meta-characters in the URL path can prevent exploitation attempts. This vulnerability highlights the risks of unsafe dynamic regex construction from untrusted input, especially in web applications interfacing with regex-capable databases like MongoDB.

For European organizations using FlagForgeCTF, particularly those involved in cybersecurity training, competitions, or educational programs, this vulnerability poses a significant risk of service disruption. An attacker exploiting this flaw can cause denial of service conditions by exhausting server CPU resources, leading to downtime or degraded performance of the CTF platform. This can interrupt training schedules, competitive events, or internal security exercises, potentially impacting organizational readiness and reputation. Since the vulnerability does not compromise confidentiality or integrity, the primary impact is availability. However, prolonged denial of service could indirectly affect operational continuity and user trust. Organizations relying on FlagForgeCTF as a critical component of their cybersecurity education or recruitment pipelines may face operational setbacks. Additionally, if the platform is exposed to the public internet without adequate protections, the risk of exploitation increases. The lack of authentication requirement for exploitation further amplifies the threat, making it accessible to remote attackers without credentials.

1. Upgrade FlagForgeCTF instances to version 2.3.3 or later immediately to apply the official fix that properly escapes user input in regex construction. 2. Until patching is possible, implement Web Application Firewall (WAF) rules specifically designed to detect and block HTTP requests containing regex meta-characters (e.g., *, +, ?, {, }, (, ), [, ], |, ^, $, ., \) in the URL path, particularly targeting the /api/user/[username] endpoint. 3. Employ input validation and sanitization on the username parameter to reject or escape regex meta-characters before processing. 4. Monitor server CPU usage and application logs for unusual spikes or repeated requests containing suspicious patterns indicative of ReDoS attempts. 5. Restrict public access to the FlagForgeCTF platform where feasible, limiting exposure to trusted networks or VPNs. 6. Educate developers and administrators on the risks of dynamic regex construction from untrusted input and encourage secure coding practices. 7. Consider rate limiting or request throttling on the vulnerable API endpoint to reduce the impact of potential abuse. 8. Conduct regular security assessments and penetration tests focusing on input validation and denial of service vectors.