CVE-2022-24713 – CVE-2022-24713 is a vulnerability in the Rust r... (How to Fix)

📋 TL;DR

CVE-2022-24713 is a vulnerability in the Rust regex crate where built-in mitigations against regex-based denial of service attacks can be bypassed. This allows attackers to craft malicious regexes that cause excessive CPU consumption and service disruption. Only applications that accept user-controlled regexes as input are affected.

💻 Affected Systems

Products:

Rust applications using regex crate

Versions: All versions <= 1.5.4

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable if application accepts user-controlled regex patterns. Applications using only hardcoded regex patterns are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the vulnerable service.

🟠

Likely Case

Degraded performance or temporary service disruption for applications accepting user regex input.

🟢

If Mitigated

No impact if regex crate is updated or if applications don't accept user regexes.

🌐 Internet-Facing: HIGH for services accepting user regex input, as exploitation requires no authentication.

🏢 Internal Only: MEDIUM for internal services accepting user regex input, lower for others.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted regex patterns to vulnerable endpoints. No authentication needed if service accepts regex input from unauthenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: regex 1.5.5 and later

Vendor Advisory: https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require regex >= 1.5.5
2. Run 'cargo update regex'
3. Rebuild and redeploy application
4. Restart affected services

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation to reject complex regex patterns from untrusted sources

Rate limiting regex processing

all

Implement timeouts or rate limits on regex parsing operations

🧯 If You Can't Patch

Disable user-controlled regex input entirely if not required
Implement strict WAF rules to block suspicious regex patterns at network boundary

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for regex crate version <= 1.5.4

Check Version:

grep -A 1 'name = "regex"' Cargo.lock

Verify Fix Applied:

Verify regex crate version is >= 1.5.5 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

Unusually long regex processing times
High CPU usage spikes from regex operations
Repeated regex parsing failures

Network Indicators:

Incoming requests containing complex regex patterns
Traffic patterns showing regex submission attempts

SIEM Query:

source="application_logs" AND (message="*regex*" AND duration>5s) OR (process="rust_app" AND cpu_usage>90%)

📊 Metadata

CVE ID: CVE-2022-24713

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: March 8, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e Patch,Third Party Advisory
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8 Third Party Advisory
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/
https://security.gentoo.org/glsa/202208-08 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.debian.org/security/2022/dsa-5113 Third Party Advisory
https://www.debian.org/security/2022/dsa-5118 Third Party Advisory
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e Patch,Third Party Advisory
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8 Third Party Advisory
https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/
https://security.gentoo.org/glsa/202208-08 Third Party Advisory
https://security.gentoo.org/glsa/202208-14 Third Party Advisory
https://www.debian.org/security/2022/dsa-5113 Third Party Advisory
https://www.debian.org/security/2022/dsa-5118 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24713, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Regex by Rust Lang

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation and sanitization

Rate limiting regex processing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities