CVE-2023-33290: git-url-parse crate vulnerable to Regular Expression Denial of Service

June 12, 2023

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python).

References

github.com/advisories/GHSA-qfh9-8p57-mjjj
github.com/tjtelan/git-url-parse-rs
github.com/tjtelan/git-url-parse-rs/blob/main/src/lib.rs
github.com/tjtelan/git-url-parse-rs/issues/51
nvd.nist.gov/vuln/detail/CVE-2023-33290

Detect and mitigate CVE-2023-33290 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →