Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service.
Description
GraphHopper 2.0–2.3 is vulnerable to regex injection in the navigate endpoint, allowing DoS via crafted URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GraphHopper 2.0–2.3 is vulnerable to regex injection in the navigate endpoint, allowing DoS via crafted URLs.
Vulnerability
In GraphHopper versions 2.0 through 2.3, the navigate module uses an unsanitized profile parameter in a regex operation (replaceFirst and replaceAll) on the request URL [1][3]. An attacker can inject a special regex pattern that causes exponential backtracking (ReDoS), leading to a Denial of Service. The vulnerability exists in the getPointsFromRequest method of NavigationResource.java [4].
Exploitation
The attacker sends a crafted HTTP request to the navigate endpoint with a malicious profile string that triggers catastrophic backtracking in the Java regex engine [1][3]. No authentication is required, and the request can be made remotely. The only condition is that the request must reach the affected method, which processes the URL path using replaceFirst and replaceAll with the attacker-controlled profile value [4].
Impact
Successful exploitation causes high CPU consumption on the server, leading to a Denial of Service (DoS) as the thread handling the request hangs or becomes unresponsive. This impacts availability of the routing service [2][3]. No data confidentiality or integrity is compromised.
Mitigation
The fix was released in versions 2.4 and 3.0 [1][2]. The patch replaces the regex-based URL manipulation with simple string operations (startsWith and substring) which are not vulnerable to injection [4]. Users should upgrade to at least version 2.4. There is no known workaround for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.graphhopper:graphhopper-navMaven | < 2.4 | 2.4 |
Affected products
2- Range: >= 2.0, < 2.4
Patches
1eb189be1fa74avoid regex in navigate module (#2304)
1 file changed · +3 −5
navigation/src/main/java/com/graphhopper/navigation/NavigateResource.java+3 −5 modified@@ -188,13 +188,11 @@ private GHResponse calcRoute(List<Double> favoredHeadings, List<GHPoint> request * The url looks like: ".../{profile}/1.522438,42.504606;1.527209,42.504776;1.526113,42.505144;1.527218,42.50529?.." */ private List<GHPoint> getPointsFromRequest(HttpServletRequest httpServletRequest, String profile) { - String url = httpServletRequest.getRequestURI(); - url = url.replaceFirst("/navigate/directions/v5/gh/" + profile + "/", ""); - url = url.replaceAll("\\?[*]", ""); - + String urlStart = "/navigate/directions/v5/gh/" + profile + "/"; + if (!url.startsWith(urlStart)) throw new IllegalArgumentException("Incorrect URL " + url); + url = url.substring(urlStart.length()); String[] pointStrings = url.split(";"); - List<GHPoint> points = new ArrayList<>(pointStrings.length); for (int i = 0; i < pointStrings.length; i++) { points.add(GHPoint.fromStringLonLat(pointStrings[i]));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hf44-3mx6-vhhwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29506ghsaADVISORY
- github.com/graphhopper/graphhopper/commit/eb189be1fa7443ebf4ae881e737a18f818c95f41ghsax_refsource_MISCWEB
- github.com/graphhopper/graphhopper/pull/2304ghsax_refsource_MISCWEB
- github.com/graphhopper/graphhopper/security/advisories/GHSA-hf44-3mx6-vhhwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.