CVE Vulnerabilities

CVE-2023-28755

Inefficient Regular Expression Complexity

Published: Mar 31, 2023 | Modified: Nov 04, 2025
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
UriRuby-lang*0.10.0 (including)
UriRuby-lang0.10.1 (including)0.10.1 (including)
UriRuby-lang0.11.0 (including)0.11.0 (including)
UriRuby-lang0.12.0 (including)0.12.0 (including)
Red Hat Enterprise Linux 8RedHatruby:2.7-8080020230427102918.63b34585*
Red Hat Enterprise Linux 8RedHatruby:2.5-8090020230627084142.b46abd14*
Red Hat Enterprise Linux 8RedHatruby:3.1-8090020240311122605.a75119d5*
Red Hat Enterprise Linux 8RedHatruby:3.0-8100020240522072634.489197e6*
Red Hat Enterprise Linux 9RedHatruby:3.1-9030020240320163942.9*
Red Hat Enterprise Linux 9RedHatruby-0:3.0.7-162.el9_4*
Red Hat Software Collections for Red Hat Enterprise Linux 7RedHatrh-ruby27-ruby-0:2.7.8-132.el7*
JrubyUbuntubionic*
JrubyUbuntuesm-apps-legacy/xenial*
JrubyUbuntuesm-apps/bionic*
JrubyUbuntuesm-apps/focal*
JrubyUbuntuesm-apps/xenial*
JrubyUbuntufocal*
JrubyUbuntulunar*
JrubyUbuntumantic*
JrubyUbuntuoracular*
JrubyUbuntuplucky*
JrubyUbuntutrusty*
JrubyUbuntuxenial*
Ruby1.9.1Ubuntutrusty*
Ruby2.0Ubuntutrusty*
Ruby2.3Ubuntuesm-infra-legacy/xenial*
Ruby2.3Ubuntuesm-infra/xenial*
Ruby2.3Ubuntuxenial*
Ruby2.5Ubuntubionic*
Ruby2.5Ubuntuesm-infra/bionic*
Ruby2.5Ubuntutrusty*
Ruby2.5Ubuntuxenial*
Ruby2.7Ubuntuesm-infra/focal*
Ruby2.7Ubuntufocal*
Ruby2.7Ubuntutrusty*
Ruby2.7Ubuntuxenial*
Ruby3.0Ubuntujammy*
Ruby3.0Ubuntukinetic*
Ruby3.1Ubuntukinetic*
Ruby3.1Ubuntulunar*
Ruby3.1Ubuntumantic*
Ruby3.1Ubuntutrusty*
Ruby3.1Ubuntuxenial*
RubygemsUbuntujammy*
RubygemsUbuntukinetic*
RubygemsUbuntulunar*
RubygemsUbuntumantic*
RubygemsUbuntutrusty*
RubygemsUbuntuupstream*
RubygemsUbuntuxenial*

Potential Mitigations

References