Out-of-bounds Read Affecting pcre2 package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CONAN-PCRE2-12301498
  • published31 Aug 2025
  • disclosed27 Aug 2025
  • creditGoogle Big Sleep

Introduced: 27 Aug 2025

NewCVE-2025-58050  (opens in a new tab)
CWE-122  (opens in a new tab)
CWE-125  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Read via the regular expression matching engine due to missing boundary restoration in SCS. An attacker can cause a heap buffer over-read and potentially disclose sensitive information or cause a denial of service by supplying specially crafted regular expressions containing certain patterns such as a backreference (e.g., \2).

Note:

An attacker-controlled regex pattern is required, and it cannot be triggered by providing crafted subject (match) text. The (*ACCEPT) and (*scs:) pattern features must be used together.

CVSS Base Scores

version 4.0
version 3.1