CVE-2022-24713: Regular expression denial of service in Rust's regex crate
First published: Tue Mar 08 2022(Updated: )
regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. All versions of the regex crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from regex 1.5.5. All users accepting user-controlled regexes are recommended to upgrade immediately to the latest version of the regex crate. Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, it us not recommend to deny known problematic regexes.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox ESR | <91.8 | 91.8 |
| debian/firefox | 118.0.2-1 | |
| debian/firefox-esr | 91.12.0esr-1~deb10u1 115.3.1esr-1~deb10u1 102.15.0esr-1~deb11u1 115.3.1esr-1~deb11u1 102.15.1esr-1~deb12u1 115.3.0esr-1~deb12u1 115.3.0esr-1 | |
| debian/rust-regex | <=1.1.0-1<=1.3.7-1 | 1.7.1-1 1.7.3-1 1.9.6-5 |
| debian/thunderbird | 1:91.12.0-1~deb10u1 1:115.3.1-1~deb10u1 1:102.13.1-1~deb11u1 1:115.3.1-1~deb11u1 1:102.15.1-1~deb12u1 1:115.3.1-1~deb12u1 1:115.3.1-1 | |
| Mozilla Thunderbird | <91.8 | 91.8 |
| Mozilla Firefox | <99 | 99 |
| Rust-lang Regex | <1.5.5 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1758509
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/
- https://rustsec.org/advisories/RUSTSEC-2022-0013.html
- https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
- https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
- https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/#CVE-2022-24713
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/#CVE-2022-24713
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-24713
- https://security-tracker.debian.org/tracker/CVE-2022-24713
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/
- https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/
- https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html
- https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/
- https://security.gentoo.org/glsa/202208-08
- https://security.gentoo.org/glsa/202208-14
- https://www.debian.org/security/2022/dsa-5113
- https://www.debian.org/security/2022/dsa-5118
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
CVE-2022-24713
What is the severity of CVE-2022-24713?
The severity of CVE-2022-24713 is high with a severity value of 7.5.
Which software products are affected by CVE-2022-24713?
Mozilla Firefox ESR, Mozilla Firefox, Debian Firefox, Debian Firefox ESR, Rust-regex, and Thunderbird are affected by CVE-2022-24713.
How can I fix CVE-2022-24713?
To fix CVE-2022-24713, update to the recommended versions: Mozilla Firefox ESR 91.8, Mozilla Firefox 99, Debian Firefox 118.0.2-1, Debian Firefox ESR 91.12.0esr-1~deb10u1 or 91.12.0-1~deb10u1, Rust-regex 1.7.1-1, and Thunderbird 91.8.
Are there any references or additional information about CVE-2022-24713?
Yes, you can find more information about CVE-2022-24713 in the references: [Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1758509), [Mozilla Security Advisory](https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/), and [GitHub commit](https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e).
- collector/mozilla-advisory
- collector/security-tracker-debian
- agent/weakness
- agent/type
- agent/author
- agent/remedy
- source/Mozilla
- agent/software-canonical-lookup
- agent/description
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- agent/severity
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/mozilla
- canonical/mozilla firefox esr
- package-manager/debian
- canonical/mozilla thunderbird
- canonical/mozilla firefox
- vendor/rust-lang
- canonical/rust-lang regex
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0