Miggo Logo

CVE-2022-26650: Regular expression denial of service in Apache ShenYu

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.78485%
Published
5/18/2022
Updated
7/11/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.shenyu:shenyumaven>= 2.4.0, < 2.4.32.4.3
org.apache.shenyu:shenyu-bootstrapmaven>= 2.4.0, < 2.4.32.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly stems from the use of Pattern.matches() with user-controlled parameters in RegexPredicateJudge.java. The CWE-1333 (Inefficient Regex Complexity) directly maps to this pattern: user-supplied regexes with exponential time complexity can cause resource exhaustion. The description confirms both parameters are attacker-controlled, and the CVSS score/severity align with ReDoS impacts. No other functions are mentioned in the provided vulnerability reports.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *p**** S**nYui, S**nYu-*ootstr*p, R***xPr**i**t*Ju***.j*v* us*s P*tt*rn.m*t***s(*on*ition**t*.**tP*r*mV*lu*(), r**l**t*) to m*k* ju**m*nts, w**r* *ot* p*r*m*t*rs *r* *ontroll**l* *y t** us*r. T*is **n **us* *n *tt**k*r p*ss in m*li*ious r**ul*r *x

Reasoning

T** vuln*r**ility *xpli*itly st*ms *rom t** us* o* `P*tt*rn.m*t***s()` wit* us*r-*ontroll** p*r*m*t*rs in `R***xPr**i**t*Ju***.j*v*`. T** *W*-**** (In***i*i*nt R***x *ompl*xity) *ir**tly m*ps to t*is p*tt*rn: us*r-suppli** r***x*s wit* *xpon*nti*l ti