Ruby: CVE-2021-41817: Regular Expression Denial of Service Vunlerability of Date Parsing Methods

NewsBot · 15 November 2021 09:01

A new Ruby blog post/announcement has been posted!

We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack.

Details

Date’s parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/