PT-2022-2264 · Regex+11 · Regex+11

Addison Crump

·

Published

2022-03-08

·

Updated

2025-10-24

·

CVE-2022-24713

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions regex versions 1.5.4 and earlier
Description The regex crate for the Rust language has a bug in its mitigations designed to prevent untrusted regexes from taking an arbitrary amount of time during parsing. This allows attackers to craft regexes that bypass these mitigations, making it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. The issue is related to the complexity of regular expressions and the lack of proper limitation on the resources consumed during parsing.
Recommendations For regex versions 1.5.4 and earlier, upgrade immediately to the latest version of the regex crate, starting from version 1.5.5. As a temporary workaround, consider restricting the use of the regex crate to trusted regexes only, until a patch is available. Avoid using the regex crate to parse untrusted input with untrusted regexes.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

ALSA-2022:1287
ALSA-2022:1301
ALSA-2025_16880
ALT-PU-2022-1642
ALT-PU-2022-1809
ALT-PU-2022-1847
ALT-PU-2022-1855
ALT-PU-2022-1941
ALT-PU-2022-1951
ALT-PU-2022-1983
ALT-PU-2022-2044
ALT-PU-2022-2053
ALT-PU-2022-2930
ALT-PU-2023-1139
ALT-PU-2023-4339
ALT-PU-2024-12896
AZL-40907
AZL-45021
AZL-61405
AZL-62435
BDU:2022-02373
CESA-2022_1287
CESA-2022_1301
CVE-2022-24713
DLA-2971-1
DLA-2978-1
DSA-5113-1
DSA-5118-1
GHSA-M5PQ-GVJ9-9VR8
MGASA-2022-0156
MGASA-2022-0157
OESA-2023-1673
OESA-2023-1674
OPENSUSE-SU-2022:1127-1
OPENSUSE-SU-2022_1127-1
OPENSUSE-SU-2022_1176-1
OPENSUSE-SU-2022_3949-1
OPENSUSE-SU-2022_4073-1
OPENSUSE-SU-2023_3526-1
OPENSUSE-SU-2024:0294-1
OPENSUSE-SU-2024:11913-1
OPENSUSE-SU-2024:11914-1
OPENSUSE-SU-2024:11917-1
OPENSUSE-SU-2024:11918-1
OPENSUSE-SU-2024:11920-1
OPENSUSE-SU-2024:11921-1
OPENSUSE-SU-2024:11922-1
OPENSUSE-SU-2024:11923-1
OPENSUSE-SU-2024:11925-1
OPENSUSE-SU-2024:11928-1
OPENSUSE-SU-2024:11931-1
OPENSUSE-SU-2024:11937-1
OPENSUSE-SU-2024:11941-1
OPENSUSE-SU-2024:11945-1
OPENSUSE-SU-2024:11946-1
OPENSUSE-SU-2024:11948-1
OPENSUSE-SU-2024:11962-1
OPENSUSE-SU-2024:11975-1
OPENSUSE-SU-2024:12055-1
OPENSUSE-SU-2024:12114-1
OPENSUSE-SU-2024:12131-1
OPENSUSE-SU-2024:14572-1
RHSA-2022:1283
RHSA-2022:1284
RHSA-2022:1285
RHSA-2022:1286
RHSA-2022:1287
RHSA-2022:1301
RHSA-2022:1302
RHSA-2022:1303
RHSA-2022:1305
RHSA-2022:1326
RHSA-2022_1284
RHSA-2022_1287
RHSA-2022_1301
RHSA-2022_1302
RLSA-2022:1287
RLSA-2022:1301
RUSTSEC-2022-0013
SUSE-RU-2022:1114-1
SUSE-RU-2022:1125-1
SUSE-RU-2022:14935-1
SUSE-SU-2022:1127-1
SUSE-SU-2022:1176-1
SUSE-SU-2022:3949-1
SUSE-SU-2022:4073-1
SUSE-SU-2023:1844-1
SUSE-SU-2023:3526-1
SUSE-SU-2023_1844-1
SUSE-SU-2025:3783-1
SUSE-SU-2025:3784-1
SUSE-SU-2025:3785-1
SUSE-SU-2025:3786-1
SUSE-SU-2025:3911-1
USN-5370-1
USN-5610-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Regex