Ruby: CVE-2023-28755: ReDoS vulnerability in URI

NewsBot · 28 March 2023 02:02

A new Ruby blog post/announcement has been posted!

We have released the uri gem version 0.10.0.1, 0.10.2, 0.11.1 and 0.12.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755.

Details

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.

Please update the uri gem to version 0.12.1 or later. We also release for old uri gem with Ruby releases. Please use them if you need to only security fix.

For Ruby 2.7 users: URI 0.10.0.1

For Ruby 3.0 users: URI 0.10.2

For Ruby 3.1 users: URI 0.11.1

For Ruby 3.2 users: URI 0.12.1

You can use gem update uri to update it. If you are using bundle...

Get the full details here: CVE-2023-28755: ReDoS vulnerability in URI