Type of Issue

Potential Regex Denial of Service (ReDoS)

Description

The vulnerable regular expressions are located in util/regexp-assemble/regexp-942170.data on lines 1-6 (Link).

The ReDOS vulnerabilities of these regular expressions are mainly due to the sub-pattern \s*?[(]?\s*? and can be exploited with the following string
\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t!

Thank you for reporting.

We can either (a) not reproduce your findings, or (b) they are prevented by the PCRE match limits, namely on ModSecurity 2.

While there are rules with severe ReDoS issues in CRS, the ones your report do not fall into this category from our point of view. We get reports like your's from time to time. Usually people just look at the regular expression and do not try it out on a real CRS installation. ModSec has prevention mechanisms and not everything that kills the PCRE engine is also killing ModSec.

If you are able to proof that you can DoS a real CRS installation with the payload above, then please report it via the channel described in our SECURITY.md file (DoS is security relevant and we would prefer to keep it private while we work on a fix).