CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
43.7%
giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package (for example, to check whether it accesses any Git repository at an http:// URL), and that package’s author placed a ReDoS attack payload in a URL used by the package.
Vendor | Product | Version | CPE |
---|---|---|---|
git-url-parse_project | git-url-parse | * | cpe:2.3:a:git-url-parse_project:git-url-parse:*:*:*:*:*:rust:*:* |
github.com/advisories/GHSA-4xqq-73wg-5mjp
github.com/coala/git-url-parse/blob/master/giturlparse/parser.py#L53
github.com/returntocorp/semgrep/pull/7611
github.com/returntocorp/semgrep/pull/7943
github.com/returntocorp/semgrep/pull/7955
nvd.nist.gov/vuln/detail/CVE-2023-32758
pypi.org/project/git-url-parse