CVE-2022-24713 — Uncontrolled Resource Consumption in Regex

CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service16 documents10 sources

Severity

7.5HIGHNVD

OSV6.5

EPSS

10.9%

top 6.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Rust-lang Regex Mozilla Firefox +15 more

Timeline

PublishedMar 8

Latest updateSep 14

Description

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amo…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages18 packages

▶NVDrust-lang/regex< 1.5.5

▶crates.iorust-lang/regex0.0.0-0 — 1.5.5+1

▶debiandebian/rust-regex< firefox 99.0-1 (sid)

▶msrcmsrc/azl3_rust_regex-1.8.4_on_azure_linux_3.0

▶msrcmsrc/azl3_rust_1.86.0-1_on_azure_linux_3.0

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35, 36

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

firefox vulnerabilities↗2022-04-07

▶

OSV

CVE-2022-24713: regex is an implementation of regular expressions for the Rust language↗2022-03-08

▶

OSV

Regexes with large repetitions on empty sub-expressions take a very long time to parse↗2022-03-08

▶

GHSA

Rust's regex crate vulnerable to regular expression denial of service↗2022-03-08

▶

OSV

Rust's regex crate vulnerable to regular expression denial of service↗2022-03-08

▶

📋Vendor Advisories

Ubuntu

rust-regex vulnerability↗2022-09-14

▶

Ubuntu

Firefox vulnerabilities↗2022-04-07

▶

Red Hat

Mozilla: Denial of Service via complex regular expressions↗2022-04-05

▶

Microsoft

Regular expression denial of service in Rust's regex crate↗2022-03-08

▶

Debian

CVE-2022-24713: firefox - regex is an implementation of regular expressions for the Rust language. The reg...↗2022

▶

💬Community

HackerOne

Regexes with large repetitions on empty sub-expressions take a very long time to parse↗2022-03-22

▶

Bugzilla

Update regex crate in-tree to 1.5.5↗2022-03-08

▶