{"id":"CVE-2019-13225","details":"A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust.","modified":"2026-03-15T14:04:03.063133Z","published":"2019-07-10T14:15:11.700Z","related":["ALSA-2020:3662","ALSA-2020:4827","MGASA-2019-0253","MGASA-2020-0029","SUSE-SU-2024:2401-1","openSUSE-SU-2024:11111-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWCPDTZOIUKGMFAD5NAKUB7FPJFAIQN5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNL26OZSQRVLEO6JRNUVIMZTICXBNEQW/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201911-03"},{"type":"FIX","url":"https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kkos/oniguruma","events":[{"introduced":"0"},{"last_affected":"83572e983928243d741f61ac290fc057d69fefc3"},{"fixed":"c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"6.9.2-NA"}]}}],"versions":["v5.9.6","v6.0.0","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.2.0","v6.3.0","v6.4.0","v6.5.0","v6.6.0","v6.6.1","v6.7.0","v6.7.1","v6.8.0","v6.8.1","v6.8.2","v6.9.0","v6.9.1","v6.9.2","v6.9.2_rc1","v6.9.2_rc2","v6.9.2_rc3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-13225.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"29"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]}],"vanir_signatures":[{"source":"https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c","signature_version":"v1","deprecated":false,"target":{"file":"src/regcomp.c"},"digest":{"threshold":0.9,"line_hashes":["85141731386316851965725583353761852847","204595937784327686332058629384380229674","319247688735767608892947998935321169709","241674881094433395339525784506746142782","254990912557451104883114518374002790439","64454262332086805412704828737206622359","236140884305776523355892540789865807574","153336709126352052758112735148905899679","31377849021423607495904267593121150756","238769940960044662172765831089931524544","81098403367417136783006037704082788478","51827213460557364345719534556334902980","191418956654247562735926728659014972090","115988239015902885453971979046210904656","204180771395020458451583621508510201132","199645093322366396782428046900108468049","153111474359541123152405185688874873236","208669678462544222830419350908637931312","293828640975033680040692157692155978758","177700100071828633901527881869930075299","74837920887297519773133792580998496808"]},"signature_type":"Line","id":"CVE-2019-13225-2b85bd8b"},{"source":"https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c","signature_version":"v1","deprecated":false,"target":{"file":"src/regcomp.c","function":"compile_length_bag_node"},"digest":{"function_hash":"136352198404887022080578989389975003742","length":2277},"signature_type":"Function","id":"CVE-2019-13225-a8853a59"},{"source":"https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c","signature_version":"v1","deprecated":false,"target":{"file":"src/regcomp.c","function":"compile_bag_node"},"digest":{"function_hash":"186066642544576952066181731115535465672","length":2316},"signature_type":"Function","id":"CVE-2019-13225-e8f9d8ee"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}