CVE-2022-24921 – This vulnerability in Go's regexp.Compile funct... (How to Fix)

Q: What is the severity of CVE-2022-24921?

CVE-2022-24921 has a CVSS score of 7.5 (HIGH). This vulnerability in Go's regexp.Compile function allows attackers to cause a denial of service via stack exhaustion by providing a deeply nested regular expression. It affects Go applications using regexp.Compile with untrusted input, particularly web servers and network services.

📋 TL;DR

This vulnerability in Go's regexp.Compile function allows attackers to cause a denial of service via stack exhaustion by providing a deeply nested regular expression. It affects Go applications using regexp.Compile with untrusted input, particularly web servers and network services.

💻 Affected Systems

Products:

Go programming language
Applications built with Go using regexp package

Versions: Go 1.0 through 1.16.14, Go 1.17.0 through 1.17.7

Operating Systems: All platforms running affected Go versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using regexp.Compile or regexp.MustCompile with untrusted input containing deeply nested expressions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to stack overflow crash, potentially leading to extended downtime and requiring manual restart of affected applications.

🟠

Likely Case

Denial of service affecting specific endpoints or services that process regex patterns from untrusted sources, causing temporary service disruption.

🟢

If Mitigated

Minimal impact if input validation limits regex complexity or if applications don't process untrusted regex patterns.

🌐 Internet-Facing: MEDIUM - Web applications accepting regex patterns from users could be targeted, but requires specific attack vector.

🏢 Internal Only: LOW - Internal services typically don't accept arbitrary regex patterns from untrusted sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted regex pattern to trigger stack exhaustion. Proof of concept available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Go 1.16.15 or Go 1.17.8

Vendor Advisory: https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk

Restart Required: Yes

Instructions:

1. Update Go installation to 1.16.15+ or 1.17.8+ using official distribution channels. 2. Recompile all Go applications with the updated version. 3. Restart all Go-based services.

🔧 Temporary Workarounds

Input validation for regex patterns

all

Validate and limit complexity of regex patterns from untrusted sources before passing to regexp.Compile

Rate limiting regex processing

all

Implement rate limiting on endpoints that accept regex patterns to prevent DoS attacks

🧯 If You Can't Patch

Implement strict input validation to reject deeply nested regex patterns
Deploy WAF rules to block patterns with excessive nesting levels

🔍 How to Verify

Check if Vulnerable:

Check Go version with 'go version' command. If version is between 1.0-1.16.14 or 1.17.0-1.17.7, system is vulnerable.

Check Version:

go version

Verify Fix Applied:

After updating, verify with 'go version' shows 1.16.15+ or 1.17.8+. Test with known malicious regex patterns to confirm stack exhaustion no longer occurs.

📡 Detection & Monitoring

Log Indicators:

Application crashes with stack overflow errors
High memory usage spikes during regex processing
Panic logs containing 'regexp' or 'stack overflow'

Network Indicators:

Unusually large regex patterns in HTTP POST/PUT requests
Repeated regex pattern submissions to same endpoint

SIEM Query:

source="application.logs" AND ("panic" OR "stack overflow" OR "regexp")

📊 Metadata

CVE ID: CVE-2022-24921

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-674

Published: March 5, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk Issue Tracking,Mailing List,Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220325-0010/ Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk Issue Tracking,Mailing List,Release Notes,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00017.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/04/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html
https://security.gentoo.org/glsa/202208-02 Third Party Advisory
https://security.netapp.com/advisory/ntap-20220325-0010/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24921, you might also want to check these: