CVE-2023-33289: urlnorm vulnerable to Regular Expression Denial of Service

June 21, 2023 (updated June 28, 2023)

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.

References

gist.github.com/6en6ar/b118888dc739e8979038f24c8ac33611
github.com/advisories/GHSA-fqhp-rhm6-8rrj
github.com/progscrape/urlnorm
lib.rs/crates/urlnorm
nvd.nist.gov/vuln/detail/CVE-2023-33289

Detect and mitigate CVE-2023-33289 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →