CVE-2026-21868 is a Regular Expression Denial of Service (ReDoS) vulnerability classified under CWE-1333, found in FlagForgeCTF, a Capture The Flag platform widely used for cybersecurity competitions and training. The vulnerability affects versions prior to 2.3.3 and resides in the user profile API endpoint (/api/user/[username]). The application dynamically constructs a regular expression from the username parameter without escaping regex meta-characters. An attacker can supply a username containing complex regex constructs such as deeply nested groups or quantifiers, which cause the MongoDB regex engine to perform excessive backtracking and CPU consumption. This results in a denial of service condition, degrading or halting the platform’s availability for legitimate users. The attack vector is remote and does not require authentication or user interaction, increasing its risk. Although no known exploits are currently in the wild, the vulnerability’s CVSS score of 7.5 (high) reflects its potential impact. The issue is resolved in FlagForgeCTF version 2.3.3. Until patching, deploying a Web Application Firewall (WAF) rule to block requests containing regex meta-characters in the URL path is an effective mitigation strategy. This vulnerability highlights the risks of dynamically constructing regex patterns from untrusted input without proper sanitization or escaping, especially in web applications interfacing with regex-capable databases like MongoDB.

For European organizations using FlagForgeCTF versions 2.3.2 and below, this vulnerability poses a significant risk of service disruption due to denial of service attacks. CTF platforms are often used by universities, cybersecurity training centers, and security teams for skills development and competitions. An attacker exploiting this flaw can cause platform outages, impacting training schedules, competitive events, and potentially damaging the reputation of hosting organizations. Since the attack requires no authentication and can be launched remotely, it increases the threat surface. Additionally, prolonged denial of service could lead to indirect financial losses and reduced operational efficiency. Organizations relying on FlagForgeCTF for internal or public-facing cybersecurity exercises in Europe should prioritize patching or mitigation to maintain availability and trust. The vulnerability does not directly compromise confidentiality or integrity but severely impacts availability, which is critical for service continuity.

1. Upgrade FlagForgeCTF to version 2.3.3 or later, where the vulnerability is fixed by properly escaping user input before regex construction. 2. Until patching is possible, implement Web Application Firewall (WAF) rules to detect and block HTTP requests to the /api/user/[username] endpoint containing regex meta-characters such as (, ), [, ], {, }, *, +, ?, |, ^, $, and \. 3. Employ input validation and sanitization at the application layer to reject or escape regex meta-characters in usernames before processing. 4. Monitor application logs and network traffic for unusual spikes in CPU usage or repeated requests with suspicious usernames indicative of attempted ReDoS attacks. 5. Consider rate limiting requests to the vulnerable endpoint to reduce the impact of potential abuse. 6. Educate developers and administrators on secure coding practices related to dynamic regex usage and the risks of ReDoS. 7. If feasible, isolate the FlagForgeCTF service in a controlled environment with resource limits to mitigate the impact of CPU exhaustion.