← back
CVE-2023-28755

CVE-2023-28755

CVSS 5.3 MEDIUMEPSS 2.6%CWE-1333
In short

Ruby's URI parser becomes extremely slow when processing certain malformed URLs, potentially causing a denial of service. An attacker can send specially crafted URLs to freeze or exhaust a web application's resources.

Technical detail

A Regular Expression Denial of Service (ReDoS) vulnerability exists in Ruby's URI component (versions up to 0.12.0) where invalid URLs with specific character patterns trigger catastrophic backtracking in the parser. Attack vector is network-based; attacker supplies malformed URLs to trigger exponential processing time. Impact includes CPU exhaustion and application unavailability.

Summary generated and translated by AI from the official description.
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/ruby/uri/releases/https://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlhttps://lists.debian.org/debian-lts-announce/2025/05/msg00015.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20230526-0003/