CVE Tools
Sign in

CVE-2022-24713

Regular expression denial of service in Rust's regex crate

Published: Mar 8, 2022Updated: Nov 21, 2024 Sources: CVE List NVD GHSA BDUCWE-400
7.5HIGH
NVD MITRE
EPSS Score
14.5%
Top 3.8%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.

No summary for this CVE yet.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:HAvailability
High
Open in CVSS calculator →

Weaknesses

CWE-400CWE-1333

Affected Products

regexrust-lang
Library
OSS Libraries / generic-library
fedorafedoraproject
On-premOS
Operating Systems / linux-distro
debian linuxdebian
On-premOS
Operating Systems / linux-distro
regexcrates.ioOSS Libraries
Red Hat Enterprise LinuxRed Hat Inc.
On-premOS
Operating Systems / linux-distro
rust-langoss-projectOSS Librariesaka rust, cargo, async-h1
fedoraprojectoss-projectUSOperating Systemsaka fedora project
debianoss-projectGBOperating Systemsaka debian gnu/linux
crates.iopackage-ecosystemOSS Libraries
red hat inc.commercialUSOperating Systemsaka red hat
and 11 more affected products View all →

Exploitability

Official Patch Available
No detection template yetWe can run the check for you — a free external exposure review, no install. Check my exposure

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

MITRE ATT&CK

1 technique
Impact
View detailed technique mapping

References

https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
github.com
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
github.com
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
groups.google.com
and 27 more references View all →

Timeline

Published
Mar 8, 2022
Last Updated
Nov 21, 2024

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2022-24713 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows