CVE-2026-22809

The Infinite Loop in Your Cookie Jar: Analyzing CVE-2026-22809

Alon Barad
Alon Barad
Software Engineer

Jan 14, 2026·6 min read·3 visits

Executive Summary (TL;DR)

Tarteaucitron.js < 1.29.0 contains a ReDoS vulnerability in its Issuu service integration. A greedy regex pattern `/d=(.*)&u=(.*)/` allows attackers to trigger exponential processing time via crafted inputs, causing a Denial of Service. The fix involves anchoring the regex and removing the greedy capture groups, though the remediation strategy introduces a potential secondary XSS risk.

A deep dive into a Regular Expression Denial of Service (ReDoS) vulnerability in tarteaucitron.js, a popular cookie consent manager. The flaw allows malicious configuration strings to trigger catastrophic backtracking, potentially freezing the end-user's browser.

Official Patches

AmauriC (GitHub)Official fix commit

Fix Analysis (1)

Technical Appendix

CVSS Score
4.4/ 10
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Affected Systems

tarteaucitron.js < 1.29.0

Affected Versions Detail

Product
Affected Versions
Fixed Version
tarteaucitron.js
AmauriC
< 1.29.01.29.0
AttributeDetail
CWE IDCWE-1333 (ReDoS)
CVSS v3.14.4 (Medium)
Attack VectorLocal / Config-based
ImpactHigh Availability (Browser Hang)
Exploit StatusPoC Available
Patch Commitf0bbdac2fdf3cd24a325fc0928c0d34abf1b7b52

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
CWE-1333
Inefficient Regular Expression Complexity

The software uses a regular expression that can be made to process input in exponential time, leading to a denial of service.

Known Exploits & Detection

Internal AnalysisPayload constructed from regex analysis: 'd=' followed by 50k 'A' characters.

Vulnerability Timeline

Patch Committed (v1.29.0)
2026-01-12
GitHub Advisory Published
2026-01-13
CVE Assigned
2026-01-13