uri is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability exists due to the insecure Regex pattern used for the RFC3986_URI
and RFC3986_relative_ref
parameters in the rfc3986_parser.rb
, which allows an attacker to crash the application by providing maliciously crafted URI patterns.
github.com/advisories/GHSA-hv5j-3h9f-99c2
github.com/ruby/uri/commit/17861a53e499a2eabf7ba83d63914d0f01921d70
github.com/ruby/uri/commit/28371d13eff9014edfe109e4a8f86e985dc514ce
github.com/ruby/uri/commit/d8b9a843d04b2410f21a59e68c50d5553eedccf6
github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175
github.com/ruby/uri/releases/
hackerone.com/reports/1444501
lists.debian.org/debian-lts-announce/2023/04/msg00033.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
lists.fedoraproject.org/archives/list/[email protected]/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/
lists.fedoraproject.org/archives/list/[email protected]/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/
lists.fedoraproject.org/archives/list/[email protected]/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/
secdb.alpinelinux.org/edge/main.yaml
secdb.alpinelinux.org/v3.14/main.yaml
secdb.alpinelinux.org/v3.15/main.yaml
secdb.alpinelinux.org/v3.16/main.yaml
secdb.alpinelinux.org/v3.17/main.yaml
security.gentoo.org/glsa/202401-27
security.netapp.com/advisory/ntap-20230526-0003/
www.ruby-lang.org/en/downloads/releases/
www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/
www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/