High severityNVD Advisory· Published Jul 13, 2022· Updated Aug 3, 2024

Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022)

CVE-2022-31781

Description

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tapestry 5.8.1 and earlier are vulnerable to ReDoS via crafted Content-Type strings processed by the ContentType class constructor.

Vulnerability

Overview

CVE-2022-31781 is a Regular Expression Denial of Service (ReDoS) vulnerability in Apache Tapestry, affecting versions up to 5.8.1. The flaw resides in the org.apache.tapestry5.http.ContentType class, which uses a regular expression to parse Content-Type parameters. Specifically, the regex ^(.+)/([^;]+)(;(.+=[^;]+))*$ can exhibit catastrophic backtracking when processing specially crafted input, causing exponential runtime [1][2].

Exploitation

Characteristics

To exploit the vulnerability, an attacker must deliver a malicious Content-Type string to the ContentType constructor. However, the official advisory notes that the vulnerability cannot be triggered by normal web requests in Tapestry code alone. Exploitation would only be possible if a separate, non-Tapestry code path passes untrusted input to this constructor [1][2]. This prerequisite significantly limits the attack surface in typical deployments.

Impact

Successful exploitation leads to a denial-of-service condition, as the affected regex consumes excessive CPU resources. The fix, released in Tapestry 5.8.2, constrains the number of allowed parameter repetitions in the regex to prevent backtracking. The Git commit shows the pattern changed to ^(.+)/([^;]+)(;(.+=[^;]+)){0,5}$, and a unit test now ensures that malformed input causes an immediate IllegalArgumentException instead of hanging [3].

Mitigation

Users are strongly advised to upgrade to Apache Tapestry 5.8.2 or later. No workaround is provided, as the vulnerable code path is only reachable via non-standard integration points. Organizations should audit any custom code that directly invokes the ContentType constructor with external data [1][2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tapestry:tapestry-coreMaven	< 5.8.2	5.8.2

Affected products

ghsa-coords
pkg:maven/org.apache.tapestry/tapestry-core
Range: < 5.8.2
Apache Software Foundation/Apache Tapestryv5
Range: 5.8.1

Patches

3c8d6103832e

Tweaking ContentType's parser regular expression.

https://github.com/apache/tapestry-5Thiago H. de Paula FigueiredoApr 18, 2022via ghsa

commit

2 files changed · +8 −1

tapestry-core/src/test/java/org/apache/tapestry5/root/ContentTypeTest.java+7 −0 modified

@@ -154,4 +154,11 @@ public void add_charset() throws Exception
         assertEquals(base.toString(), "text/html");
         assertEquals(charset.toString(), "text/html;charset=utf-8");
     }
+    
+    @Test(timeOut = 100, expectedExceptions = IllegalArgumentException.class)
+    public void constructor_timeout() throws Exception
+    {
+        new ContentType("a/a;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;");
+    }
+    
 }

tapestry-http/src/main/java/org/apache/tapestry5/http/ContentType.java+1 −1 modified

@@ -39,7 +39,7 @@ public final class ContentType
 
     private final Map<String, String> parameters;
 
-    private static final Pattern PATTERN = Pattern.compile("^(.+)/([^;]+)(;(.+=[^;]+))*$");
+    private static final Pattern PATTERN = Pattern.compile("^(.+)/([^;]+)(;(.+=[^;]+)){0,5}$");
 
     /**
      * Creates a new content type from the argument. The format of the argument has to be basetype/subtype(;key=value)*

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-227g-7cvv-6ff3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-31781ghsaADVISORY
github.com/apache/tapestry-5/commit/3c8d6103832eec3bc06029dd2532f06df717431fghsaWEB
www.openwall.com/lists/oss-security/2022/07/12/3ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000