CVE-2023-51075 – CVE-2023-51075 is an infinite loop vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-51075?

CVE-2023-51075 has a CVSS score of 7.5 (HIGH). CVE-2023-51075 is an infinite loop vulnerability in hutool-core's StrSplitter.splitByRegex function that allows attackers to cause Denial of Service (DoS) by manipulating input parameters. This affects any application using vulnerable versions of the hutool Java utility library. The vulnerability can be exploited remotely without authentication.

📋 TL;DR

CVE-2023-51075 is an infinite loop vulnerability in hutool-core's StrSplitter.splitByRegex function that allows attackers to cause Denial of Service (DoS) by manipulating input parameters. This affects any application using vulnerable versions of the hutool Java utility library. The vulnerability can be exploited remotely without authentication.

💻 Affected Systems

Products:

hutool-core

Versions: v5.8.23 specifically (and potentially earlier versions with the same code)

Operating Systems: All platforms running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Any Java application using hutool-core's StrSplitter.splitByRegex function with user-controlled input is vulnerable.

📦 What is this software?

Hutool by Hutool

View all CVEs affecting Hutool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to infinite loop consuming 100% CPU resources, requiring manual process termination and service restart.

🟠

Likely Case

Partial service degradation or temporary unavailability affecting specific endpoints that use the vulnerable function.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block malicious requests.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing applications particularly vulnerable to DoS attacks.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is simple to exploit by providing specially crafted regex patterns and input strings that trigger infinite loops.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.8.24 or later

Vendor Advisory: https://github.com/dromara/hutool/issues/3421

Restart Required: Yes

Instructions:

1. Update hutool-core dependency to v5.8.24+ in your project's pom.xml or build.gradle. 2. Rebuild and redeploy your application. 3. Restart affected services.

🔧 Temporary Workarounds

Input Validation Workaround

all

Implement strict input validation to reject or sanitize regex patterns and input strings before passing to StrSplitter.splitByRegex

Timeout Protection

all

Wrap calls to StrSplitter.splitByRegex with timeout mechanisms to prevent infinite loops from consuming resources indefinitely

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to detect and block malicious regex patterns in requests
Deploy rate limiting and request throttling to mitigate DoS impact

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml, build.gradle) for hutool-core version 5.8.23 or earlier

Check Version:

For Maven: mvn dependency:tree | grep hutool-core; For Gradle: gradle dependencies | grep hutool-core

Verify Fix Applied:

Verify hutool-core version is 5.8.24 or later in your dependency management file and rebuilt application

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes
Application threads stuck in processing loops
Timeout errors for specific endpoints

Network Indicators:

Unusually high request rates to endpoints using string splitting functionality
Requests containing complex regex patterns

SIEM Query:

source="application_logs" AND ("CPU usage" > 90% OR "timeout" OR "infinite loop")

📊 Metadata

CVE ID: CVE-2023-51075

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: December 27, 2023

Last Updated: September 5, 2025

🔗 References

https://github.com/dromara/hutool/issues/3421 Exploit,Issue Tracking,Third Party Advisory
https://github.com/dromara/hutool/issues/3421 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51075, you might also want to check these: