CVE-2022-24713
published 2022-03-08CVE-2022-24713: regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
14.46%
96.2th percentile
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
Affected
29 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | firefox | < firefox 99.0-1 (sid) | firefox 99.0-1 (sid) |
| debian | firefox-esr | < firefox 99.0-1 (sid) | firefox 99.0-1 (sid) |
| debian | rust-regex | < firefox 99.0-1 (sid) | firefox 99.0-1 (sid) |
| debian | thunderbird | < firefox 99.0-1 (sid) | firefox 99.0-1 (sid) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 99.0+build2-0ubuntu0.18.04.2 | 99.0+build2-0ubuntu0.18.04.2 |
| mozilla | firefox | >= 0 < 99.0+build2-0ubuntu0.20.04.2 | 99.0+build2-0ubuntu0.20.04.2 |
| mozilla | thunderbird | >= 0 < 1:91.8.0-1~deb11u1 | 1:91.8.0-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:91.8.0-1 | 1:91.8.0-1 |
| mozilla | thunderbird | >= 0 < 1:91.8.0-1 | 1:91.8.0-1 |
| mozilla | thunderbird | >= 0 < 1:91.8.0-1 | 1:91.8.0-1 |
| msrc | azl3_librsvg2_2.50.3-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_librsvg2_2.58.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rpm-ostree_2022.1-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_rpm-ostree_2024.4-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.75.0-14_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_1.86.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_rust_regex-1.8.4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
firefox vulnerabilities
osv·2022-04-07·CVSS 6.5
CVE-2022-1097 [MEDIUM] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, execute script
unexpectedly, obtain sensitive information, conduct spoofing attacks,
or execute arbitrary code. (CVE-2022-1097, CVE-2022-24713, CVE-2022-28281,
CVE-2022-28282, CVE-2022-28284, CVE-2022-28285, CVE-2022-28286,
CVE-2022-28288, CVE-2022-28289)
A security issue was discovered with the sourceMapURL feature of devtools.
An attacker could potentially exploit this to include local files that
should have been inaccessible. (CVE-2022-28283)
It was discovered that selecting text caused Firefox to crash in some
circumstances. An attacker could potentially exploit this to
OSV
CVE-2022-24713: regex is an implementation of regular expressions for the Rust language
osv·2022-03-08·CVSS 7.5
CVE-2022-24713 [HIGH] CVE-2022-24713: regex is an implementation of regular expressions for the Rust language
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1
OSV
Regexes with large repetitions on empty sub-expressions take a very long time to parse
osv·2022-03-08·CVSS 7.5
CVE-2022-24713 [HIGH] Regexes with large repetitions on empty sub-expressions take a very long time to parse
Regexes with large repetitions on empty sub-expressions take a very long time to parse
The Rust Security Response WG was notified that the `regex` crate did not
properly limit the complexity of the regular expressions (regex) it parses. An
attacker could use this security issue to perform a denial of service, by
sending a specially crafted regex to a service accepting untrusted regexes. No
known vulnerability is present when parsing untrusted input with trusted
regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability
is "high" when the `regex` crate is used to parse untrusted regexes. Other uses
of the `regex` crate are not affected by this vulnerability.
## Overview
The `regex` crate features built-in mitigations to prevent denial of service
attacks cau
GHSA
Rust's regex crate vulnerable to regular expression denial of service
ghsa·2022-03-08·CVSS 7.5
CVE-2022-24713 [HIGH] CWE-1333 Rust's regex crate vulnerable to regular expression denial of service
Rust's regex crate vulnerable to regular expression denial of service
> This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.
[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex`
OSV
Rust's regex crate vulnerable to regular expression denial of service
osv·2022-03-08·CVSS 7.5
CVE-2022-24713 [HIGH] Rust's regex crate vulnerable to regular expression denial of service
Rust's regex crate vulnerable to regular expression denial of service
> This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.
[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability is "high" when the `regex`
Ubuntu
rust-regex vulnerability
vendor_ubuntu·2022-09-14
CVE-2022-24713 rust-regex vulnerability
Title: rust-regex vulnerability
Summary: rust-regex could be made to crash if it received specially crafted
input.
Addison Crump discovered that rust-regex did not properly limit
the complexity of the regular expressions (regex) it parses.
An attacker could possibly use this issue to cause a denial of
service.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2022-04-07·CVSS 6.5
CVE-2022-1097 [MEDIUM] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked into opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, execute script
unexpectedly, obtain sensitive information, conduct spoofing attacks,
or execute arbitrary code. (CVE-2022-1097, CVE-2022-24713, CVE-2022-28281,
CVE-2022-28282, CVE-2022-28284, CVE-2022-28285, CVE-2022-28286,
CVE-2022-28288, CVE-2022-28289)
A security issue was discovered with the sourceMapURL feature of devtools.
An attacker could potentially exploit this to include local files that
should have been inaccessible. (CVE-2022-28283)
It was discovered t
Red Hat
Mozilla: Denial of Service via complex regular expressions
vendor_redhat·2022-04-05·CVSS 7.5
CVE-2022-24713 [HIGH] CWE-400 Mozilla: Denial of Service via complex regular expressions
Mozilla: Denial of Service via complex regular expressions
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted r
Microsoft
Regular expression denial of service in Rust's regex crate
vendor_msrc·2022-03-08·CVSS 7.5
CVE-2022-24713 [HIGH] CWE-1333 Regular expression denial of service in Rust's regex crate
Regular expression denial of service in Rust's regex crate
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: http
Debian
CVE-2022-24713: firefox - regex is an implementation of regular expressions for the Rust language. The reg...
vendor_debian·2022·CVSS 7.5
CVE-2022-24713 [HIGH] CVE-2022-24713: firefox - regex is an implementation of regular expressions for the Rust language. The reg...
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1
Mozilla
Mozilla Foundation Security Advisory 2022-15: CVE-2022-24713
vendor_mozilla·CVSS 7.5
CVE-2022-24713 [HIGH] Mozilla Foundation Security Advisory 2022-15: CVE-2022-24713
Mozilla Foundation Security Advisory 2022-15
CVE: CVE-2022-24713
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 91.8
Mozilla
Mozilla Foundation Security Advisory 2022-14: CVE-2022-24713
vendor_mozilla·CVSS 7.5
CVE-2022-24713 [HIGH] Mozilla Foundation Security Advisory 2022-14: CVE-2022-24713
Mozilla Foundation Security Advisory 2022-14
CVE: CVE-2022-24713
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 91.8
Mozilla
Mozilla Foundation Security Advisory 2022-13: CVE-2022-24713
vendor_mozilla·CVSS 7.5
CVE-2022-24713 [HIGH] Mozilla Foundation Security Advisory 2022-13: CVE-2022-24713
Mozilla Foundation Security Advisory 2022-13
CVE: CVE-2022-24713
Product: Firefox
Impact: moderate
Fixed in: Firefox 99
No detection rules found.
No public exploits indexed.
HackerOne
Regexes with large repetitions on empty sub-expressions take a very long time to parse
hackerone·2022-03-22·CVSS 7.5
[HIGH] Regexes with large repetitions on empty sub-expressions take a very long time to parse
Regexes with large repetitions on empty sub-expressions take a very long time to parse
Rust's regex crate guarantees a linear time complexity with regex length for compilation of untrusted regexes. However, existing mitigations for known malicious regexes are based on memory usage and, as such, do not mitigate repetitions of empty sub-expressions. For example, the following payload triggers such an issue:
```re
(?:){4294967295}
```
This will cause the regex compiler to attempt to create 4294967295 instances of an empty sub-expression, which will ultimately allocate zero bytes and therefore bypass existing memory-based mitigations. This can be further weaponised to create an exponential time complexity with regex length by using repetitions of repetitions, e.g.:
```re
(?:){64}{64}{64}{6
Bugzilla
Update regex crate in-tree to 1.5.5
bugzilla·2022-03-08·CVSS 7.5
CVE-2022-24713 [HIGH] Update regex crate in-tree to 1.5.5
Update regex crate in-tree to 1.5.5
As per https://blog.rust-lang.org/2022/03/08/cve-2022-24713.html (CVE-2022-24713) the regex crate is vulnerable to DoS attacks as it didn't properly limit the complexity of expressions it parses.
This is fixed in 1.5.5.
I don't know where and how we use the crate in Gecko.
Cargo.toml in tree: https://searchfox.org/mozilla-central/rev/15f12b0c6c56b449304f6cb1f84ac4df84dc936a/third_party/rust/regex/Cargo.toml#16
Discussion:
Created attachment 9266858
Bug 1758509 - Update regex crate to 1.5.5 r?emilio,glandium
---
Update regex crate to 1.5.5 r=emilio
https://hg.mozilla.org/integration/autoland/rev/ba7c9ff2d0b2750a14ec3a60118a6a0e82e799ae
https://hg.mozilla.org/mozilla-central/rev/ba7c9ff2d0b2
---
Not sure we really *need* to backport this if it's
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283ehttps://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Ywhttps://lists.debian.org/debian-lts-announce/2022/04/msg00003.htmlhttps://lists.debian.org/debian-lts-announce/2022/04/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/https://security.gentoo.org/glsa/202208-08https://security.gentoo.org/glsa/202208-14https://www.debian.org/security/2022/dsa-5113https://www.debian.org/security/2022/dsa-5118https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283ehttps://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Ywhttps://lists.debian.org/debian-lts-announce/2022/04/msg00003.htmlhttps://lists.debian.org/debian-lts-announce/2022/04/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/https://security.gentoo.org/glsa/202208-08https://security.gentoo.org/glsa/202208-14https://www.debian.org/security/2022/dsa-5113https://www.debian.org/security/2022/dsa-5118
2022-03-08
Published