CVE Vulnerabilities

CVE-2023-36617

Inefficient Regular Expression Complexity

Published: Jun 29, 2023 | Modified: Nov 04, 2025
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
UriRuby-lang*0.10.3 (excluding)
UriRuby-lang0.11.0 (including)0.12.2 (excluding)
Red Hat Enterprise Linux 8RedHatruby:3.1-8090020240311122605.a75119d5*
Red Hat Enterprise Linux 8RedHatruby:2.5-8100020240627152904.489197e6*
Red Hat Enterprise Linux 9RedHatruby:3.1-9030020240320163942.9*
JrubyUbuntubionic*
JrubyUbuntuesm-apps/xenial*
JrubyUbuntufocal*
JrubyUbuntulunar*
JrubyUbuntumantic*
JrubyUbuntuoracular*
JrubyUbuntuplucky*
JrubyUbuntutrusty*
JrubyUbuntutrusty/esm*
JrubyUbuntuxenial*
Ruby1.9.1Ubuntutrusty*
Ruby2.0Ubuntutrusty*
Ruby2.3Ubuntuesm-infra-legacy/xenial*
Ruby2.3Ubuntuesm-infra/xenial*
Ruby2.3Ubuntuxenial*
Ruby2.5Ubuntubionic*
Ruby2.5Ubuntuesm-infra/bionic*
Ruby2.7Ubuntuesm-infra/focal*
Ruby2.7Ubuntufocal*
Ruby3.0Ubuntujammy*
Ruby3.0Ubuntukinetic*
Ruby3.1Ubuntukinetic*
Ruby3.1Ubuntulunar*
Ruby3.1Ubuntumantic*
RubygemsUbuntubionic*
RubygemsUbuntujammy*
RubygemsUbuntukinetic*
RubygemsUbuntulunar*
RubygemsUbuntumantic*
RubygemsUbuntutrusty*
RubygemsUbuntuxenial*

Potential Mitigations

References