CVE-2022-31781

Name of the Vulnerable Software and Affected Versions Apache Tapestry versions up to 5.8.1

Description The issue is related to a Regular Expression Denial of Service (ReDoS) in the way Apache Tapestry handles Content Types. Specially crafted Content Types can cause catastrophic backtracking, taking exponential time to complete, due to the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. This vulnerability cannot be triggered by web requests in Tapestry code alone and would only occur if non-Tapestry code passes outside input to the ContentType class constructor.

Recommendations For Apache Tapestry versions up to 5.8.1, update to version 5.8.2 to resolve the issue. As a temporary workaround, consider restricting the use of the org.apache.tapestry5.http.ContentType class to minimize the risk of exploitation, especially when handling outside input.