Addison Crump

**Name of the Vulnerable Software and Affected Versions** regex versions 1.5.4 and earlier **Description** The regex crate for the Rust language has a bug in its mitigations designed to prevent untrusted regexes from taking an arbitrary amount of time during parsing. This allows attackers to craft regexes that bypass these mitigations, making it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. The issue is related to the complexity of regular expressions and the lack of proper limitation on the resources consumed during parsing. **Recommendations** For regex versions 1.5.4 and earlier, upgrade immediately to the latest version of the regex crate, starting from version 1.5.5. As a temporary workaround, consider restricting the use of the regex crate to trusted regexes only, until a patch is available. Avoid using the regex crate to parse untrusted input with untrusted regexes.