CVE-2023-28755: Ruby URI component ReDoS issue

March 31, 2023 (updated January 24, 2024)

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

References

github.com/advisories/GHSA-hv5j-3h9f-99c2
github.com/ruby/uri/releases/
nvd.nist.gov/vuln/detail/CVE-2023-28755
www.ruby-lang.org/en/downloads/releases/
www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/

Detect and mitigate CVE-2023-28755 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →