CVE-2022-26650
Apache ShenYu (incubating) Regular expression denial of service
In short
Apache ShenYu's regex validation feature accepts user-controlled regular expressions without protection, allowing attackers to submit malicious regex patterns that consume excessive CPU resources and freeze the application.
Technical detail
RegexPredicateJudge.java directly passes user-supplied parameters to Pattern.matches() without validation or timeouts, enabling ReDoS (Regular Expression Denial of Service) attacks. An attacker can craft exponential backtracking patterns causing resource exhaustion and application unavailability.
Summary generated and translated by AI from the official description.
In Apache ShenYui, ShenYu-Bootstrap, RegexPredicateJudge.java uses Pattern.matches(conditionData.getParamValue(), realData) to make judgments, where both parameters are controllable by the user. This can cause an attacker pass in malicious regular expressions and characters causing a resource exhaustion. This issue affects Apache ShenYu (incubating) 2.4.0, 2.4.1 and 2.4.2 and is fixed in 2.4.3.
Affected products
Apache Software Foundation · Apache ShenYu (incubating)Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →