CVE-2022-24713 – Regular expression denial of service in Rust's regex crate

https://notcve.org/view.php?id=CVE-2022-24713

regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API. Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. • https://github.com/ItzSwirlz/CVE-2022-24713-POC https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8 https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JAN • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •