RUSTSEC-2022-0013: 
Rust vulnerability analysis and mitigation

The regex crate for Rust contained a vulnerability (CVE-2022-24713) where built-in mitigations designed to prevent denial of service attacks from untrusted regexes could be bypassed. The vulnerability affected all versions of the regex crate up to and including version 1.5.4, with the fix being introduced in version 1.5.5. The issue specifically impacted services that accept user-controlled, untrusted regular expressions (Rust Security).

The vulnerability stems from a bug in the regex crate's built-in mitigations that were intended to prevent untrusted regexes from taking arbitrary amounts of time during parsing. The security measures, which were documented and considered part of the crate's API, could be circumvented by specially crafted regular expressions. This bypass allowed for the creation of regexes that could evade the complexity limitations put in place by the crate (Rust Security).

The primary impact of this vulnerability is the potential for denial of service attacks when services accept user-controlled, untrusted regular expressions. The severity of this vulnerability is rated as 'high' specifically when the regex crate is used to parse untrusted regexes. It's important to note that using the crate to parse untrusted input with trusted regexes is not affected by this vulnerability (Rust Security).

The primary mitigation is to upgrade to regex version 1.5.5 or later, which contains the fix for this vulnerability. Due to the infinite possibilities of problematic regexes, blocking known problematic patterns is not recommended as an effective mitigation strategy (Rust Security).