CVE-2022-41715Standard Library Regexp Syntax vulnerability

10 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 96.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GO Standard Library Regexp SyntaxGolang GO
Timeline
PublishedOct 14
Latest updateApr 25

Description

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5go_standard_library/regexp_syntax1.19.0-01.19.2+1
NVDgolang/go1.19.01.19.2+1

Patches

Patch: go.devPatch: go.dev

🔴Vulnerability Details

5
OSV
golang-1.18 vulnerabilities2023-04-25
CVEList
Memory exhaustion when compiling regular expressions in regexp/syntax2022-10-14
OSV
CVE-2022-41715: Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service2022-10-14
GHSA
GHSA-5wvm-rxcf-6cg8: Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service2022-10-14
OSV
Memory exhaustion when compiling regular expressions in regexp/syntax2022-10-06

📋Vendor Advisories

4
Ubuntu
Go vulnerabilities2023-04-25
Microsoft
Memory exhaustion when compiling regular expressions in regexp/syntax2022-10-11
Red Hat
golang: regexp/syntax: limit memory used by parsing regexps2022-10-04
Debian
CVE-2022-41715: golang-1.15 - Programs which compile regular expressions from untrusted sources may be vulnera...2022
CVE-2022-41715 — HIGH severity | cvebase