Vulnerability Details : CVE-2022-41715
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.
Vulnerability category: Denial of service
Products affected by CVE-2022-41715
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
- cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-41715
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-41715
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
References for CVE-2022-41715
-
https://go.dev/issue/55949
regexp/syntax: limit memory used by parsing regexps · Issue #55949 · golang/go · GitHubIssue Tracking;Third Party Advisory
-
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
[security] Go 1.19.2 and Go 1.18.7 are releasedMailing List;Release Notes
-
https://pkg.go.dev/vuln/GO-2022-1039
GO-2022-1039 - Go PackagesVendor Advisory
-
https://go.dev/cl/439356
regexp: limit size of parsed regexps (Ia656baed) · Gerrit Code ReviewPatch
-
https://security.gentoo.org/glsa/202311-09
Go: Multiple Vulnerabilities (GLSA 202311-09) — Gentoo security
Jump to