CVE-2022-26650

Name of the Vulnerable Software and Affected Versions Apache ShenYu (incubating) versions 2.4.0 through 2.4.2

Description The issue arises from the use of Pattern.matches() in RegexPredicateJudge.java, where both parameters are controllable by the user. This allows an attacker to pass in malicious regular expressions and characters, causing resource exhaustion.

Recommendations For versions 2.4.0, 2.4.1, and 2.4.2, update to version 2.4.3 to resolve the issue. As a temporary workaround, consider restricting user input for the conditionData.getParamValue() and realData parameters to prevent malicious regular expressions from being executed.