CVE-2025-10630: Grafana-Zabbix ReDoS vulnerability

The vulnerability analysis began by examining the provided information, which indicated a ReDoS vulnerability in the grafana-zabbix plugin fixed in version 6.0.0. The vulnerable version range was specified as being below 6.0.0. To pinpoint the exact code changes that addressed the vulnerability, I compared the git tags for the last vulnerable version (5.2.1) and the first patched version (6.0.0). This comparison revealed a set of commits, among which 6a1d3b6abe7733eac1871cc4e50e36018176f172 stood out with the message "Add regex safety checks and tests for pathological patterns".

An in-depth analysis of this commit's diff showed significant changes in the pkg/zabbix/utils.go file, specifically within the parseFilter function. Prior to the patch, this function directly passed a user-controlled regex pattern to the regexp2.Compile function. This is the root cause of the ReDoS vulnerability. A malicious actor could craft a complex regex that would cause the compilation process to hang and consume excessive CPU resources.

The patch mitigates this vulnerability by introducing two key changes within parseFilter:

1. It adds a call to a new function, isPathologicalRegex, which scans the input for known dangerous regex patterns.
2. It replaces the direct, unbounded call to regexp2.Compile with a new wrapper function, safeRegexpCompile, which implements a 5-second timeout on the compilation process.

Based on this evidence, the zabbix.parseFilter function is confidently identified as the vulnerable function. During exploitation, this function would be on the stack trace as it processes the malicious, user-supplied regex, leading to the denial of service.