org.apache.shenyu:shenyu-plugin-base is vulnerable to regular expression denial of service (ReDoS) attacks. Both conditionData
and realData
parameters in judge
function in RegexPredicateJudge.java
are user controlled entities. A remote attacker is able to cause resource exhaustion by passing malicious regular expressions and characters through these parameters resulting in denial of service conditions.