Apache ShenYu (incubating) Regular expression denial of service
Description
Apache ShenYu 2.4.0-2.4.2 RegexPredicateJudge.java accepts user-controlled regex patterns, enabling ReDoS via resource exhaustion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache ShenYu 2.4.0-2.4.2 RegexPredicateJudge.java accepts user-controlled regex patterns, enabling ReDoS via resource exhaustion.
Vulnerability
In Apache ShenYu (incubating) versions 2.4.0, 2.4.1, and 2.4.2, the RegexPredicateJudge.java class in shenyu-bootstrap uses Pattern.matches(conditionData.getParamValue(), realData) where both parameters are user-controllable [1][3]. This enables an attacker to supply a malicious regular expression that triggers catastrophic backtracking, leading to resource exhaustion [1][3].
Exploitation
An attacker must be able to send HTTP requests to the ShenYu gateway and control either the condition parameter (conditionData.getParamValue()) or the evaluation data (realData). The attacker provides a crafted regex string (e.g., with nested quantifiers or multiple overlapping patterns) and optionally a matching input string that forces the regex engine into exponential backtracking, consuming CPU and memory [1][3].
Impact
Successful exploitation causes a denial-of-service (DoS) condition through high CPU consumption and possible memory exhaustion, making the ShenYu gateway unresponsive to legitimate traffic. No data disclosure or privilege escalation is reported [1][3].
Mitigation
The vulnerability is fixed in Apache ShenYu (incubating) 2.4.3 [1][3]. Users should upgrade to 2.4.3 or apply the patch at https://github.com/apache/incubator-shenyu/pull/2975 [3]. No known workarounds exist for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.shenyu:shenyuMaven | >= 2.4.0, < 2.4.3 | 2.4.3 |
org.apache.shenyu:shenyu-bootstrapMaven | >= 2.4.0, < 2.4.3 | 2.4.3 |
Affected products
3- ghsa-coords2 versions
>= 2.4.0, < 2.4.3+ 1 more
- (no CPE)range: >= 2.4.0, < 2.4.3
- (no CPE)range: >= 2.4.0, < 2.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cw56-j3fm-7w57ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-26650ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/05/17/3ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread/8rp33m3nm4bwtx3qx76mqynth3t3d673ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.