CVE-2023-32758: git-url-parse Regular Expression Denial of Service

May 15, 2023 (updated June 9, 2023)

giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep through 1.21.0, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package’s author placed a ReDoS attack payload in a URL used by the package.

References

github.com/advisories/GHSA-4xqq-73wg-5mjp
github.com/coala/git-url-parse/blob/master/giturlparse/parser.py
github.com/returntocorp/semgrep/pull/7611
nvd.nist.gov/vuln/detail/CVE-2023-32758
pypi.org/project/git-url-parse

Detect and mitigate CVE-2023-32758 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →