Login Sign Up

CVE-2022-26650

7.5 HIGH

📋 TL;DR

This vulnerability in Apache ShenYu allows attackers to cause resource exhaustion (denial of service) by injecting malicious regular expressions into user-controllable parameters. The Pattern.matches() function can be exploited with crafted regex patterns that cause excessive backtracking, consuming CPU resources. This affects Apache ShenYu versions 2.4.0 through 2.4.2.

💻 Affected Systems

Products:
  • Apache ShenYu (incubating)
  • ShenYu-Bootstrap
Versions: 2.4.0, 2.4.1, 2.4.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the RegexPredicateJudge.java component where user input is passed directly to Pattern.matches().

📦 What is this software?

Shenyu by Apache

View all CVEs affecting Shenyu →

Shenyu by Apache

View all CVEs affecting Shenyu →

Shenyu by Apache

View all CVEs affecting Shenyu →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the application.

🟠

Likely Case

Degraded performance or intermittent service disruptions affecting specific endpoints.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH - User-controllable parameters are directly exposed to attackers.
🏢 Internal Only: MEDIUM - Internal users could still exploit, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires crafting regex patterns that cause excessive backtracking (ReDoS).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.3

Vendor Advisory: https://lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673

Restart Required: Yes

Instructions:

1. Upgrade Apache ShenYu to version 2.4.3 or later. 2. Replace the vulnerable RegexPredicateJudge.java with the patched version. 3. Restart the ShenYu service.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement regex pattern validation to reject complex patterns before they reach Pattern.matches()

Timeout Configuration

all

Configure regex execution timeouts to limit resource consumption

🧯 If You Can't Patch

  • Implement WAF rules to block regex patterns with excessive complexity
  • Rate limit requests to vulnerable endpoints to reduce attack impact

🔍 How to Verify

Check if Vulnerable:

Check if Apache ShenYu version is 2.4.0, 2.4.1, or 2.4.2 by examining the application version in configuration files or via admin interface.

Check Version:

Check application configuration files or use: grep -r "2.4.[0-2]" /path/to/shenyu/config/

Verify Fix Applied:

Confirm version is 2.4.3 or later and verify that RegexPredicateJudge.java no longer passes user input directly to Pattern.matches() without validation.

📡 Detection & Monitoring

Log Indicators:

  • High CPU usage spikes
  • Pattern.matches() execution timeouts
  • Repeated regex evaluation failures

Network Indicators:

  • Unusually large regex patterns in HTTP parameters
  • Multiple rapid requests to regex evaluation endpoints

SIEM Query:

source="shenyu" AND (cpu_usage>90 OR error="timeout" OR message="Pattern.matches")

📊 Metadata

CVE ID: CVE-2022-26650
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: May 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26650, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)