Vulnerability Report: GO-2021-0347

standard library

CVE-2022-24921
Affects: regexp
Published: May 23, 2022
Modified: May 20, 2024

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

Affected Packages

Path

Go Versions

Symbols
regexp

before go1.16.15, from go1.17.0-0 before go1.17.8
1 unexported affected symbols
- regexp.Compile

Aliases

CVE-2022-24921

References

https://go.dev/cl/384616
https://go.googlesource.com/go/+/452f24ae94f38afa3704d4361d91d51218405c0a
https://go.dev/issue/51112
https://groups.google.com/g/golang-announce/c/RP1hfrBYVuk
https://vuln.go.dev/ID/GO-2021-0347.json

Credits

Juho Nurminen

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL