CVE-2022-24713: Rust's regex crate vulnerable to regular expression denial of service
(updated )
This is a cross-post of the official security advisory. The official advisory contains a signed version with our PGP key, as well.
The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.
This issue has been assigned CVE-2022-24713. The severity of this vulnerability is “high” when the regex crate is used to parse untrusted regexes. Other uses of the regex crate are not affected by this vulnerability.
References
- github.com/advisories/GHSA-m5pq-gvj9-9vr8
- github.com/rust-lang/regex
- github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
- github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
- groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
- lists.debian.org/debian-lts-announce/2022/04/msg00003.html
- lists.debian.org/debian-lts-announce/2022/04/msg00009.html
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ
- nvd.nist.gov/vuln/detail/CVE-2022-24713
- rustsec.org/advisories/RUSTSEC-2022-0013.html
- security.gentoo.org/glsa/202208-08
- security.gentoo.org/glsa/202208-14
- www.debian.org/security/2022/dsa-5113
- www.debian.org/security/2022/dsa-5118
Code Behaviors & Features
Detect and mitigate CVE-2022-24713 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →