CVE-2019-13225

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-13225
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13225.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-13225
Downstream
Related
Published
2019-07-10T14:15:11Z
Modified
2025-10-21T04:46:05.308088Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.

References

Affected packages

Git / github.com/kkos/oniguruma

Affected ranges

Type
GIT
Repo
https://github.com/kkos/oniguruma
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c

Affected versions

v5.*

v5.9.6

v6.*

v6.0.0
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.2.0
v6.3.0
v6.4.0
v6.5.0
v6.6.0
v6.6.1
v6.7.0
v6.7.1
v6.8.0
v6.8.1
v6.8.2
v6.9.0
v6.9.1
v6.9.2
v6.9.2_rc1
v6.9.2_rc2
v6.9.2_rc3

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c",
        "target": {
            "file": "src/regcomp.c"
        },
        "digest": {
            "line_hashes": [
                "85141731386316851965725583353761852847",
                "204595937784327686332058629384380229674",
                "319247688735767608892947998935321169709",
                "241674881094433395339525784506746142782",
                "254990912557451104883114518374002790439",
                "64454262332086805412704828737206622359",
                "236140884305776523355892540789865807574",
                "153336709126352052758112735148905899679",
                "31377849021423607495904267593121150756",
                "238769940960044662172765831089931524544",
                "81098403367417136783006037704082788478",
                "51827213460557364345719534556334902980",
                "191418956654247562735926728659014972090",
                "115988239015902885453971979046210904656",
                "204180771395020458451583621508510201132",
                "199645093322366396782428046900108468049",
                "153111474359541123152405185688874873236",
                "208669678462544222830419350908637931312",
                "293828640975033680040692157692155978758",
                "177700100071828633901527881869930075299",
                "74837920887297519773133792580998496808"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2019-13225-2b85bd8b",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c",
        "target": {
            "function": "compile_length_bag_node",
            "file": "src/regcomp.c"
        },
        "digest": {
            "function_hash": "136352198404887022080578989389975003742",
            "length": 2277.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2019-13225-a8853a59",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c",
        "target": {
            "function": "compile_bag_node",
            "file": "src/regcomp.c"
        },
        "digest": {
            "function_hash": "186066642544576952066181731115535465672",
            "length": 2316.0
        },
        "deprecated": false,
        "signature_type": "Function",
        "id": "CVE-2019-13225-e8f9d8ee",
        "signature_version": "v1"
    }
]