skip to content
Back to
Home Bounties Research Advisories Get Involved Events
August 18, 2022

GHSL-2022-022: Regular Expression Denial of Service (ReDoS) in Tapestry - CVE-2022-31781

GitHub Security Lab

Coordinated Disclosure Timeline


Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.


Apache Tapestry

Tested Version



Issue: Regular Expression Denial of Service (ReDoS) in (GHSL-2022-022)

Apache Tapestry uses the following regular expression to match Content Type headers in the constructor of the ContentType class:

private static final Pattern PATTERN = Pattern.compile("^(.+)/([^;]+)(;(.+=[^;]+))*$");
// --snip--
public ContentType(String contentType)
    Matcher matcher = PATTERN.matcher(contentType);

    if (!matcher.matches())
    // --snip--

Note the nested repetition at (;(.+=[^;]+))*. The regex engine would need to exponentially backtrack [1] in order to distinguish which part of the expression (either the + after the dot and the [^=;] subexpression, or the * after the parentheses) matches the input in case there is not a full match.

Although the ContentType class is not used to handle user-provided Content Type headers in the framework itself, an application that uses Apache Tapestry could do so, becoming vulnerable to attackers providing malicious headers that may cause the denial of service.

As an example, the following snippet shows how to reproduce the vulnerability using the constructor of the ContentType class:

public class RedosTapestryPoc {

    public static void main(String[] args) {
        new ContentType("a/a;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;a=:;");

Note that JDK 9 introduced important mitigations for this problem, so in order to reproduce the issue with the above example, the application using Apache Tapestry must be run with JDK =< 8.


This issue may lead to a denial of service of the application using Apache Tapestry by resource consumption.


[1] [2]



This issue was discovered and reported by the CodeQL team members @atorralba (Tony Torralba) and @joefarebrother (Joseph Farebrother).


You can contact the GHSL team at, please include a reference to GHSL-2022-022 in any communication regarding this issue.