Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Jul 2022 14:58:47 -0300
From: "Thiago H. de Paula Figueiredo" <>
To: Tapestry users <>
Cc: Apache Security Team <>,
Subject: [CVE-2022-31781] Apache Tapestry denial of service vulnerability

Regular Expression Denial of Service (ReDoS) in
(GHSL-2022-022) (CVE-2022-31781)


This issue affects Apache Tapestry 5.8.1.


Severity: low

Apache Tapestry up to version 5.8.1 is vulnerable to Regular
Expression Denial of Service (ReDoS) in the way it handles Content
Types. Specially crafted Content Types may cause catastrophic
backtracking, taking exponential time to complete.

Specifically, this is about the regular expression used on the
parameter of the org.apache.tapestry5.http.ContentType class.

Apache Tapestry 5.8.2 has a fix for this vulnerability.

Notice the vulnerability cannot be triggered by web requests in
Tapestry code alone. It would only happen if there's some non-Tapestry
codepath passing some outside input to the ContentType class

This issue has been assigned CVE-2022-31781.


: Initial Publication.


CVE-2022-31781 at


CodeQL team members [@atorralba (Tony
Torralba)]( and [@joefarebrother (Joseph

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.