CVE-2022-31781: 
Java vulnerability analysis and mitigation

Apache Tapestry versions up to 5.8.1 were found to contain a Regular Expression Denial of Service (ReDoS) vulnerability in the way it handles Content Types. The vulnerability was discovered by the CodeQL team and was assigned CVE-2022-31781. The issue was initially reported on April 7, 2022, and was fixed with the release of version 5.8.2 on June 20, 2022 (GitHub Security Lab).

The vulnerability exists in the ContentType.java class where a regular expression pattern ^(.+)/([^;]+)(;(.+=[^;]+))*$ is used to match Content Type headers. The issue specifically involves nested repetition at (;(.+=[^;]+))*, which can cause exponential backtracking in the regex engine when attempting to distinguish matching parts of the expression. This vulnerability is particularly impactful when running on JDK versions 8 or lower, as JDK 9 introduced mitigations for this type of issue (GitHub Security Lab).

The exploitation of this vulnerability could lead to a denial of service through resource consumption. However, it's important to note that the vulnerability cannot be triggered by web requests in Tapestry code alone and would only occur if there's some non-Tapestry codepath passing outside input to the ContentType class constructor (Openwall).

The vulnerability has been fixed in Apache Tapestry version 5.8.2, released on June 20, 2022. Users are advised to upgrade to this version or later to address the issue. Additionally, running the application on JDK 9 or later provides built-in mitigations for this type of ReDoS vulnerability (GitHub Security Lab).