Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-41715

UNKNOWN
Published 2022-10-14T00:00:00.000Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-41715. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Go standard library

regexp/syntax

Affected Versions:

0 1.19.0-0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed HIGH

GHSA-5wvm-rxcf-6cg8

Advisory Details

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-41715
WEB https://go.dev/cl/439356
WEB https://go.dev/issue/55949
WEB https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/THKJHFMX4DAZXJ5MFPN3BNHZDN7BW5RI
WEB https://pkg.go.dev/vuln/GO-2022-1039

Advisory provided by GitHub Security Advisory Database. Published: October 14, 2022, Modified: October 19, 2022

References

https://go.dev/issue/55949
https://go.dev/cl/439356
https://groups.google.com/g/golang-announce/c/xtuG5faxtaU
https://pkg.go.dev/vuln/GO-2022-1039
https://security.gentoo.org/glsa/202311-09
Published: 2022-10-14T00:00:00.000Z
Last Modified: 2025-02-13T16:33:07.652Z
Copied to clipboard!