Login Sign Up

CVE-2021-37262

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-37262 is a regex injection vulnerability in JFinal_cms 5.1.0 that allows attackers to craft malicious regular expressions, causing excessive CPU consumption and denial of service. This affects all systems running the vulnerable version of JFinal_cms content management system. Attackers can exploit this without authentication to crash the application.

💻 Affected Systems

Products:
  • JFinal_cms
Versions: 5.1.0
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only version 5.1.0 is confirmed vulnerable. Earlier versions may also be affected but not confirmed.

📦 What is this software?

Jfinal Cms by Jflyfox

View all CVEs affecting Jfinal Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to CPU exhaustion, potentially affecting all services on the same server.

🟠

Likely Case

Application becomes unresponsive or crashes when malicious regex patterns are processed, requiring restart.

🟢

If Mitigated

Limited impact with proper input validation and regex timeout configurations in place.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers could still cause denial of service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept available in GitHub issue. Simple HTTP requests with crafted regex patterns can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.1 or later

Vendor Advisory: https://github.com/jflyfox/jfinal_cms/issues/23

Restart Required: Yes

Instructions:

1. Download latest version from GitHub. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Restart application server.

🔧 Temporary Workarounds

Input validation filter

all

Add regex pattern validation to filter malicious input before processing

Implement input validation in application code to reject complex regex patterns

Regex timeout configuration

all

Configure regex engine timeout limits to prevent CPU exhaustion

Set Pattern.compile() with timeout: Pattern.compile(pattern, Pattern.DOTALL).matcher(input).find()

🧯 If You Can't Patch

  • Implement WAF rules to block requests containing complex regex patterns
  • Rate limit requests to vulnerable endpoints and monitor for abnormal CPU usage

🔍 How to Verify

Check if Vulnerable:

Check application version in admin panel or configuration files for version 5.1.0

Check Version:

Check pom.xml or application.properties for version information

Verify Fix Applied:

Verify version is 5.1.1 or later and test with known exploit patterns

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Application crash logs
  • Requests with unusual regex patterns in parameters

Network Indicators:

  • HTTP requests with complex regex patterns in parameters
  • Repeated requests to same endpoint

SIEM Query:

source="web_server" AND (url="*regex*" OR param="*regex*") AND status=500

📊 Metadata

CVE ID: CVE-2021-37262
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-74
Published: December 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37262, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)