CVE-2026-8888: Securly Chrome Extension HTTP Regex DoS Vulnerability
The Securly Chrome Extension version 3.0.7 has a vulnerability that allows attackers on the network path between a user and Securly's servers to inject malicious patterns into configuration files. When the extension processes these patterns as regular expressions, it can trigger a computational flaw that freezes the browser during all web activity. This requires the attacker to be positioned to intercept traffic (such as on a shared network or through DNS hijacking) but does not require user interaction or authentication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-1333, CWE-917
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8888 involves insecure transport and unsafe regex compilation in Securly 3.0.7. The extension retrieves config.json over unencrypted HTTP, creating a window for man-in-the-middle injection. Server-provided regex patterns are compiled directly using the new RegExp() constructor without complexity analysis or safeguards against catastrophic backtracking. Adversaries can craft patterns exhibiting exponential time complexity on certain inputs, causing the JavaScript engine to consume CPU and block the browser event loop, effectively denying service across all browsing sessions until the extension is disabled or the browser restarted.
Business impact
For organizations deploying Securly as a security appliance, this vulnerability creates a denial-of-service risk that bypasses the protective intent of the tool. An attacker with network-level access can render employee browsers unusable, disrupting productivity and potentially forcing workarounds that weaken security posture. The attack surface includes shared Wi-Fi networks, compromised ISPs, or internal network segments if an attacker gains foothold. The HIGH severity rating reflects the ease of exploitation and broad impact, though active exploitation in the wild is not currently tracked.
Affected systems
Securly Chrome Extension version 3.0.7 is the confirmed affected version. Organizations using this version across their endpoint fleet are at risk. Users on version 3.0.6 or earlier, or versions after the patch (verify against Securly's security advisory for the fixed version number), are not vulnerable to this specific chain. Chrome browser users on Windows, macOS, and Linux are affected if running the vulnerable extension version.
Exploitability
Exploitability is high because: (1) HTTP config delivery means no man-in-the-middle authentication is required; (2) regex compilation is automatic and unauthenticated; (3) the attack requires only network-level positioning, achievable in many real-world scenarios; (4) no user interaction is needed. The primary barrier is presence on the network path, which limits opportunistic attacks but is realistic for targeted campaigns, ISP-level threats, or internal network compromise. The CVSS:3.1/AV:N/AC:L vector confirms network accessibility with low attack complexity.
Remediation
Immediate action: upgrade Securly to the patched version (consult Securly's advisory for the correct build number). Interim mitigation: enforce HTTPS inspection policies to detect and block unencrypted config downloads, or temporarily disable the extension pending patching. Longer term: audit other browser extensions in your environment for similar insecure HTTP usage and unsafe deserialization patterns.
Patch guidance
Contact Securly directly or visit their Chrome Web Store listing for the latest version. Verify the extension auto-updates or manually check Manage Extensions (chrome://extensions) to confirm the installed version. Organizations using managed Chrome policies should prioritize pushing the patched version through their deployment mechanism. Test the patch in a sandbox or limited pilot before broad rollout to confirm no regression in content filtering or reporting functionality.
Detection guidance
Monitor for: (1) network traffic from Chrome clients initiating HTTP connections to Securly config endpoints (DNS queries for config domains); (2) browser hang or CPU spike events correlating with Securly extension activity, especially if reproducible; (3) user reports of browser freezes that resolve after disabling Securly or restarting the browser. Endpoint telemetry tools can flag processes in a hung state with high CPU. Check for Securly version via Chrome policy reporting or browser inventory tools. Regex-triggered CPU exhaustion may appear as a browser process consuming 100% of a single CPU core for extended periods.
Why prioritize this
HIGH CVSS (7.5) score, combined with low attack complexity and network accessibility, places this in the upper priority tier. While not yet in active exploitation tracking (KEV status: false), the combination of trivial network positioning requirements and high user impact makes this attractive to threat actors. Organizations with Securly deployed at scale should patch within days, not weeks. Critical for environments with open or partially trusted networks where MITM risk is elevated.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects: Attack Vector Network (AV:N) — exploitable remotely without physical access; Attack Complexity Low (AC:L) — no special preconditions or race conditions; Privileges Required None (PR:N) — unauthenticated; User Interaction None (UI:N) — attack succeeds without user action; Scope Unchanged (S:U) — impact limited to the vulnerable component; Availability Impact High (A:H) — complete browser availability loss. Confidentiality and Integrity are Not affected (C:N/I:N) because the attack is purely denial-of-service, not data theft or modification.
Frequently asked questions
Why is HTTP used for config delivery? Can't this be fixed server-side?
HTTP creates the vulnerability surface. Securly should enforce HTTPS for all config endpoints immediately. Organizations cannot fix this client-side; patching to a version that enforces HTTPS is required. Verify with Securly's advisory that the patched version uses HTTPS.
If I upgrade the extension, are my previous browsing patterns or policies lost?
Extension upgrades typically preserve user policies and browsing history stored locally. However, test in a non-critical environment first to confirm compatibility. If unsure, consult Securly documentation or support before rolling out to production endpoints.
Is there a temporary workaround if I can't patch immediately?
Disabling the extension eliminates the attack surface but removes web filtering. A better interim measure is network-level protection: block outbound HTTP (unencrypted) connections to known Securly config domains, forcing HTTPS only. Monitor for any service degradation. Aim to patch within 72 hours.
How would an attacker on my network actually inject this payload?
An attacker with network access (shared Wi-Fi, compromised router, or ISP-level position) intercepts HTTP traffic to Securly's config endpoint and modifies the JSON response, replacing legitimate regex patterns with malicious ones designed to cause backtracking. The browser extension then compiles and executes these patterns, triggering the freeze.
This analysis is based on the published CVE record and vendor advisory data as of June 2026. Security researchers and system administrators should verify patch version numbers and availability directly with Securly before deployment. No proof-of-concept or weaponized exploit code is provided herein. Organizations should test patches in a controlled environment before broad rollout. This document does not constitute security advice for specific environments; consult your security team and Securly support for compliance and operational questions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update
- CVE-2026-10691MEDIUMReDoS Vulnerability in DesktopCommanderMCP Search Manager
- CVE-2026-10692MEDIUMReDoS Vulnerability in code-index-mcp Up to 2.14.0 – Patch Available
- CVE-2026-44796MEDIUMNautobot Denial of Service via ReDoS in Bulk-Rename Endpoints
- CVE-2026-8874HIGHSecurly Chrome Extension Cleartext Configuration Download Vulnerability
- CVE-2026-8876HIGHHardcoded AES Keys in Securly Chrome Extension 3.0.7
- CVE-2026-8878HIGHSecurly Chrome Extension 3.0.7 Exposes Password Hashes via Weak Encryption
- CVE-2026-8879HIGHSecurly Chrome Extension 3.0.7 Availability Denial – Blank Page on Service Outage