LiveActive security incident?Get immediate response
CVE Record

CVE-2017-9225: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in...

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This flaw is in Oniguruma regular-expression handling, used by older Ruby and PHP mbstring builds. A malformed regular expression can cause a stack buffer overwrite while the expression is compiled. Business risk depends on whether applications let users influence regex patterns or run old runtimes.

Executive priority

Prioritize remediation for internet-facing or multi-tenant applications that accept custom regex patterns and run old Ruby, PHP, or Oniguruma components. Treat legacy runtime retirement as the durable fix path.

Technical view

In Oniguruma 6.2.0, unicode_unfold_key() mishandles code point 0xFFFFFFFF, leading onigenc_unicode_get_case_fold_codes_by_str() to write four bytes past a stack buffer in expand_case_fold_string() during regex compilation.

Likely exposure

Systems are most likely exposed if they use Oniguruma 6.2.0 directly, Ruby through 2.4.1 with Oniguruma-mod, or PHP through 7.1.5 mbstring. Exposure is higher where untrusted users can supply or influence regular expressions.

Exploitation context

The sources describe a malformed regular expression triggering stack out-of-bounds write during compilation. The bundle does not cite active exploitation, weaponized public exploit use, CVSS, or CISA KEV listing.

Researcher notes

The CVE record gives precise vulnerable code paths and affected version ranges but lacks CVSS, CWE, named fixed releases, and exploitation evidence. The GitHub commit and issue are the key technical references for patch verification.

Mitigation direction

  • Inventory Ruby, PHP mbstring, and direct Oniguruma use.
  • Update affected runtimes or libraries using vendor guidance.
  • Verify whether builds include Oniguruma commit 166a6c3999bf06b4de0ab4ce6b088a468cc4029f.
  • Avoid compiling user-controlled regular expressions where feasible.
  • Add input controls around features accepting custom regex patterns.

Validation and detection

  • Check deployed Ruby versions are not through 2.4.1.
  • Check deployed PHP mbstring versions are not through 7.1.5.
  • Identify direct Oniguruma 6.2.0 dependencies in application builds.
  • Review application features that accept user-supplied regex patterns.
  • Confirm patched source or package provenance against vendor records.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2017-9225 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.