CVE-2022-24921 Overview
CVE-2022-24921 is a stack exhaustion vulnerability in the Go programming language's regexp.Compile function. The vulnerability allows attackers to cause a denial of service condition by supplying a deeply nested regular expression, which exhausts the stack during compilation. This affects Go versions before 1.16.15 and 1.17.x versions before 1.17.8.
Critical Impact
This vulnerability enables remote attackers to crash applications that process untrusted regular expressions, leading to denial of service. Any Go application that compiles user-supplied regex patterns is potentially affected.
Affected Products
- Golang Go (versions before 1.16.15 and 1.17.x before 1.17.8)
- NetApp Astra Trident
- Debian Linux 9.0
Discovery Timeline
- 2022-03-05 - CVE-2022-24921 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24921
Vulnerability Analysis
The vulnerability exists in the regexp.Compile function within Go's standard library. When processing regular expressions with deeply nested structures (such as multiple levels of grouping or alternation), the compiler uses recursive function calls to parse the expression tree. Without proper depth limits, an attacker can craft a malicious regex pattern that causes the call stack to grow beyond available memory, resulting in a stack overflow and subsequent application crash.
This type of vulnerability is particularly dangerous in server applications that accept user-provided regular expressions, such as search functionality, input validation systems, or configuration parsing. The attack can be executed remotely over the network without requiring authentication, making it accessible to unauthenticated attackers.
Root Cause
The root cause is categorized as CWE-674 (Uncontrolled Recursion). The regexp.Compile function's parser recursively descends into nested expression components without enforcing a maximum recursion depth. When processing expressions like (((((((((((...)))))))))))with sufficient nesting levels, each level of parentheses triggers another recursive call, eventually exhausting the available stack space. The fix involves implementing proper recursion depth limits during regex compilation.
Attack Vector
The attack vector is network-based and requires no user interaction or special privileges. An attacker can exploit this vulnerability by sending a crafted regular expression string to any endpoint that passes the input to regexp.Compile, regexp.MustCompile, or related functions. The attack payload consists of a deeply nested regex pattern that triggers uncontrolled recursion during the parsing phase.
For example, a malicious regex might contain thousands of nested groups or alternation operators. When the application attempts to compile this pattern, the recursive descent parser will exhaust the stack before completing, causing the entire application or goroutine to crash. In production environments, this could lead to service unavailability.
Detection Methods for CVE-2022-24921
Indicators of Compromise
- Sudden application crashes or restarts in Go applications that process regex patterns
- Stack overflow errors or panic messages in application logs referencing the regexp package
- Abnormally long or complex regular expression strings in request logs
- Memory or stack-related errors in containerized Go applications
Detection Strategies
- Monitor application logs for panic messages containing regexp/syntax or stack overflow indicators
- Implement request logging to capture and analyze unusually large or complex regex inputs
- Use runtime monitoring to detect abnormal stack growth patterns in Go processes
- Deploy application performance monitoring (APM) to track regex compilation times and resource usage
Monitoring Recommendations
- Set up alerts for Go application crashes that include regexp in the stack trace
- Monitor for repeated crash-restart cycles that could indicate exploitation attempts
- Track the size and complexity of user-submitted regex patterns at the application layer
- Implement SentinelOne Singularity Platform for real-time process monitoring and crash detection
How to Mitigate CVE-2022-24921
Immediate Actions Required
- Upgrade Go to version 1.16.15 or later (for 1.16.x branch) or 1.17.8 or later (for 1.17.x branch)
- Audit applications to identify all locations where user input is passed to regexp.Compile
- Implement input validation to limit the length and complexity of user-supplied regex patterns
- Deploy SentinelOne Singularity Platform for automated detection of exploitation attempts
Patch Information
The Go team addressed this vulnerability in Go versions 1.16.15 and 1.17.8 by implementing proper recursion depth limits in the regex parser. Organizations should upgrade to these patched versions or later to fully remediate the vulnerability. For detailed patch information, refer to the Golang Announcement Google Group.
Additional vendor advisories are available from:
- NetApp Security Advisory NTAP-20220325-0010
- Debian LTS Advisory #20220417
- Gentoo GLSA 2022-08-02
- Siemens Security Certification Document
Workarounds
- Implement application-level input validation to reject regex patterns exceeding a maximum length threshold
- Add preprocessing logic to count nesting depth before passing patterns to regexp.Compile
- Use timeouts when compiling user-supplied regular expressions to limit resource consumption
- Consider using alternative regex libraries with built-in recursion limits for untrusted input
# Verify Go version is patched
go version
# Expected output should show go1.16.15+, go1.17.8+, or go1.18+
# Update Go to the latest stable version
# For Linux/macOS using official installer:
wget https://go.dev/dl/go1.21.latest.linux-amd64.tar.gz
sudo rm -rf /usr/local/go
sudo tar -C /usr/local -xzf go1.21.latest.linux-amd64.tar.gz
# Verify the update
go version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
