CVE-2022-32532

CRITICAL

Apache Shiro < 1.9.1 - Authorization Bypass via RegexRequestMatcher Misconfiguration

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-32532. PoCs published by Lay0us, my0113.

AI-analyzed exploit summary This repository demonstrates an authentication bypass vulnerability in Apache Shiro (CVE-2022-32532) by exploiting a regex pattern matching flaw in `RegExPatternMatcher`. The PoC shows how a crafted URL path (`/permit/a%0any`) can bypass token validation filters.

Description

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.

Exploits (3)

nomisec WORKING POC 13 stars
by Lay0us · poc
https://github.com/Lay0us/CVE-2022-32532

This repository demonstrates an authentication bypass vulnerability in Apache Shiro (CVE-2022-32532) by exploiting a regex pattern matching flaw in `RegExPatternMatcher`. The PoC shows how a crafted URL path (`/permit/a%0any`) can bypass token validation filters.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache Shiro (versions using RegExPatternMatcher)
No auth needed
Prerequisites: Apache Shiro with RegExPatternMatcher configured for path-based filtering
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by my0113 · poc
https://github.com/my0113/shiro-cve-2022-32532

This repository provides a functional proof-of-concept for CVE-2022-32532, an authentication bypass vulnerability in Apache Shiro due to improper regex pattern matching. It includes a minimal web application demonstrating the bypass using newline (%0a) and carriage return (%0d) characters.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache Shiro < 1.9.1
No auth needed
Prerequisites: A vulnerable Apache Shiro instance (< 1.9.1) with regex-based path matching enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/lay0us1/cve-2022-32532

This repository demonstrates an authentication bypass vulnerability (CVE-2022-32532) in Apache Shiro by exploiting a regex pattern matching flaw in `RegExPatternMatcher`. The PoC shows how a crafted request with a newline character (`%0a`) can bypass path-based access controls.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache Shiro (versions using RegExPatternMatcher)
No auth needed
Prerequisites: Apache Shiro with `RegExPatternMatcher` configured · Access to a vulnerable endpoint
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1
Core References
Mailing List, Vendor Advisory x_refsource_misc
https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh

Scores

CVSS v3 9.8
EPSS 0.8194
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-863
Status published
Products (2)
apache/shiro < 1.9.1
org.apache.shiro/shiro-core 0 - 1.9.1Maven
Published Jun 29, 2022
Tracked Since Feb 18, 2026