CVE-2025-58050
BaseFortify
Publication date: 2025-08-27
Last updated on: 2025-09-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pcre | pcre2 | 10.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-58050 is a heap-buffer-overflow read vulnerability in the PCRE2 library version 10.45. It occurs in the regular expression engine when using the (*scs:...) (Scan SubString) verb combined with (*ACCEPT). The issue arises because after an ACCEPT operation inside a scan substring block, certain internal buffer pointers (mb->end_subject and mb->true_end_subject) are not properly restored to their original values. This causes subsequent operations, like backreference matching, to perform out-of-bounds memory reads, potentially leaking information. The vulnerability can be triggered only by attacker-controlled regex patterns, not by crafted input text, and was fixed in version 10.46 by restoring these buffer pointers correctly. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by allowing an attacker to read memory beyond the intended buffer boundaries during regex matching. Although the impact on confidentiality is low and it does not affect integrity, it may enable escalation of other system vulnerabilities by leaking sensitive information. It can also cause denial-of-service conditions. The vulnerability can be exploited remotely without any privileges or user interaction, making it a moderate security risk. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the PCRE2 library version in use and by attempting to reproduce the issue using the pcre2test binary with AddressSanitizer. Specifically, running the test regex pattern /(a)(b+)(*scs:(1)a(*ACCEPT))(\2)/ against the input string "abbb" with AddressSanitizer enabled can reveal the heap-buffer-overflow read. Checking the PCRE2 version to ensure it is 10.46 or later also helps detect if the vulnerable version 10.45 or earlier is present. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the PCRE2 library to version 10.46 or later, which contains the security fix for this vulnerability. The fix involves a minimal code change that correctly restores internal buffer state variables after an ACCEPT opcode within a scan substring block, preventing the heap-buffer-overflow read. Avoid using vulnerable versions (10.45 and earlier) until the update is applied. [1, 2, 3]