7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-26650

GHSA ID

GHSA-cw56-j3fm-7w57

EPSS Score

0.78485%

CWE

CWE-862

Published

5/18/2022

Updated

7/11/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-26650

CVE-2022-26650:
Regular expression denial of service in Apache ShenYu

In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-26650

GHSA ID

GHSA-cw56-j3fm-7w57

EPSS Score

0.78485%

CWE

CWE-862

Published

5/18/2022

Updated

7/11/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.shenyu:shenyu	maven	>= 2.4.0, < 2.4.3	2.4.3
org.apache.shenyu:shenyu-bootstrap	maven	>= 2.4.0, < 2.4.3	2.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly stems from the use of Pattern.matches() with user-controlled parameters in RegexPredicateJudge.java. The CWE-1333 (Inefficient Regex Complexity) directly maps to this pattern: user-supplied regexes with exponential time complexity can cause resource exhaustion. The description confirms both parameters are attacker-controlled, and the CVSS score/severity align with ReDoS impacts. No other functions are mentioned in the provided vulnerability reports.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** S**nYui, S**nYu-*ootstr*p, R***xPr**i**t*Ju***.j*v* us*s P*tt*rn.m*t***s(*on*ition**t*.**tP*r*mV*lu*(), r**l**t*) to m*k* ju**m*nts, w**r* *ot* p*r*m*t*rs *r* *ontroll**l* *y t** us*r. T*is **n **us* *n *tt**k*r p*ss in m*li*ious r**ul*r *x

Reasoning

T** vuln*r**ility *xpli*itly st*ms *rom t** us* o* `P*tt*rn.m*t***s()` wit* us*r-*ontroll** p*r*m*t*rs in `R***xPr**i**t*Ju***.j*v*`. T** *W*-**** (In***i*i*nt R***x *ompl*xity) *ir**tly m*ps to t*is p*tt*rn: us*r-suppli** r***x*s wit* *xpon*nti*l ti

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-26650: Regular expression denial of service in Apache ShenYu

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-26650:
Regular expression denial of service in Apache ShenYu

Vulnerability Intelligence
Miggo AI